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PROTECTING  PATIENT  PRIVACY  IN 
HEALTHCARE  INFORMATION  SYSTEMS 


TUESDAY,  JUNE  19,  2007 

House  of  Representatives, 

Subcommittee  on  Information  Policy,  Census,  and 

National  Archives, 
Committee  on  Oversight  and  Government  Reform, 

Washington,  DC. 

The  subcommittee  met,  pursuant  to  notice,  at  2  p.m.  in  room 
2154,  Rayburn  House  Office  Building,  Hon.  Wm.  Lacy  Clay  (chair- 
man of  the  subcommittee)  presiding. 

Present:  Representatives  Clay,  Maloney,  Hodes,  and  Turner. 

Staff  present:  Tony  Haywood,  staff  director/counsel;  Jean  Gosa, 
clerk;  Adam  C.  Bordes,  professional  staff  member;  Nidia  Salazar, 
staff  assistant;  Charles  Phillips,  minority  counsel;  Allyson 
Blandford,  minority  professional  staff  member;  Patrick  Lyden,  mi- 
nority parliamentarian  and  member  services  coordinator;  and  Ben- 
jamin Chance,  minority  clerk. 

Mr.  Clay.  The  Subcommittee  on  Information  Policy,  Census,  and 
National  Archives  will  come  to  order. 

Let  me  begin  by  saying  good  afternoon  and  welcome  to  today's 
hearing  on  efforts  to  protect  the  privacy  of  personal  health  informa- 
tion in  electronic  health  care  information  systems. 

The  use  of  IT  to  store,  share,  and  secure  electronic  health  infor- 
mation has  expanded  rapidly  in  recent  years.  Many  insurers  and 
hospitals  have  already  transitioned  from  paper-based  records  to 
electronic  medical  record  systems  for  exchanging  patient  data.  This 
has  brought  important  benefits  to  both  patients  and  providers,  in- 
cluding shorter  hospital  stays,  improved  management  of  chronic 
disease,  and  fewer  redundant  tests  and  examinations. 

Americans  have  expressed  legitimate  concerns,  however,  about 
the  potential  for  improper  disclosure  of  personally  identifiable 
health  care  information.  Before  they  will  fully  embrace  the  benefits 
and  efficiencies  of  e-health  solutions,  patients  must  be  confident 
that  personal  information  in  electronic  format  is  as  secure  and  pri- 
vate as  information  in  paper  records. 

A  nationwide  health  information  network  promises  tremendous 
benefits  for  patients.  For  3  years  the  Department  of  Health  and 
Human  Services  has  been  working  to  make  the  idea  technically 
and  economically  feasible.  Unfortunately,  a  January  2007  GAO  re- 
port found  that  HHS  was  not  doing  enough  to  integrate  effective 
privacy  safeguards  into  its  long-term  national  strategy  for  health 
IT.  Varying  health  IT  privacy  standards  in  different  States  are  an- 
other area  of  concern. 
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While  the  enactment  of  the  Health  Insurance  Portability  and  Ac- 
countability Act  [HIPAA],  in  1996  was  an  important  step  forward, 
it  has  left  patients  with  disparate  privacy  protections.  I  believe  we 
should  amend  HIPAA  to  extend  the  most  effective  and  practical 
privacy  safeguards  to  everyone. 

I  introduced  bipartisan  legislation  in  the  109th  Congress  which 
proposed  to  establish  a  framework  for  a  uniform  national  health 
privacy  standard.  Giving  patients  greater  personal  control  over 
their  health  information  is  critical;  therefore,  putting  in  place 
stricter  notice  and  consent  requirements  for  all  third-party  disclo- 
sures and  information  sharing  activities  is  an  important  legislative 
objective  for  Congress  to  achieve. 

Today's  hearing  will  allow  different  perspectives  on  these  issues 
to  be  aired  as  we  move  toward  implementing  a  national  health  care 
information  network. 

I  must  say  that  I  am  disappointed  that  HHS  was  unable  to  sup- 
ply a  suitable  witness  to  appear  today  on  behalf  of  the  administra- 
tion, but  the  Department  has  submitted  written  testimony  for  to- 
day's hearing,  and  I  will  ask  GAO  and  our  other  witnesses  to  re- 
spond to  positions  stated  in  that  testimony. 

I  look  forward  to  the  testimony  of  all  of  our  witnesses. 

[The  prepared  statement  of  Hon.  Wm.  Lacy  Clay  follows:] 
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Opening  Statement  of  Rep.  Wm.  Lacy  Clay  (D-MO),  Chairman 
Subcommittee  on  Information  Policy,  Census,  and  National  Archives 
House  Committee  on  Oversight  and  Government  Reform 

Hearing  on  "^Protecting  Patient  Privacy  in  Healthcare  Information  Systems" 

June  19, 2007 

Good  afternoon  and  welcome  to  today's  hearing  on  efforts  to 
protect  the  privacy  of  personal  health  mformation  in  electronic 
healthcare  information  systems. 

The  use  of  information  technology  to  store,  share,  and  secure 
electronic  health  information  has  expanded  rapidly  in  recent  years. 
Many  insurers  and  hospitals  have  already  transitioned  from  paper- 
based  records  to  electronic  medical  record  systems  for  exchanging 
patient  data.  This  has  brought  important  benefits  to  both  patients 
and  providers,  including  shorter  hospital  ^tays,  improved 
management  of  chronic  disease,  and  fewer  redundant  tests  and 
examinations. 

Americans  have  legitimate  concerns,  however,  about  the 
potential  for  improper  disclosure  of  personally  identifiable 
healthcare  information.  Before  they  will  fully  embrace  the  benefits 
and  efficiencies  of  e-health  solutions,  patients  must  be  confident 
that  personal  information  in  electronic  format  is  as  secure  and 
private  as  information  in  paper  records. 

A  nationwide  health  information  network  promises 
tremendous  benefits  for  patients.  For  three  years,  the  Department 
of  Health  and  Human  Services  has  been  working  to  make  the  idea 
technically  and  economically  feasible.  Unfortunately,  a  January 
2007  GAO  report  found  that  HHS  was  not  doing  enough  to 
integrate  effective  privacy  safeguards  into  its  long-term  national 
strategy  for  health  I.T.  We'll  discuss  GAO's  report  this  afternoon. 
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Varying  health  IT  privacy  standards  in  different  states  are 
another  area  of  concern.  Enacted  in  1996,  the  Health  Insurance 
Portability  and  Accountability  Act,  or  HIPAA,  established  baseline 
national  standards  to  protect  the  privacy  of  personal  health 
information.  This  was  an  important  step  forward,  but  it  leaves 
patients  in  different  states  with  disparate  privacy  protections,  I 
believe  we  should  amend  HIPAA  to  extend  the  most  effective  and 
practical  privacy  safeguards  to  everyone.  Bipartisan  legislation 
that  I  introduced  in  the  109**'  Congress  proposed  to  do  that  by 
establishing  a  framework  for  a  uniform  national  health  privacy 
standard. 

Giving  patients  greater  personal  control  over  their  health 
information  is  also  critical.  Therefore,  putting  in  place  stricter 
notice  and  consent  requirements  for  all  third  party  disclosures  and 
information-sharing  activities  is  an  important  legislative  objective 
for  Congress  to  achieve. 

Today's  hearing  will  allow  different  perspectives  on  these 
issues  to  be  aired  as  we  move  toward  implementing  a  national 
healthcare  information  network.  I  must  say  that  I  am  deeply 
disappointed  that  HHS  was  unable  to  supply  a  suitable  witness  to 
appear  today  on  behalf  of  the  Administration;  but  the  Department 
has  submitted  written  testimony  for  today's  hearing,  and  I'll  ask 
GAO  and  our  other  witnesses  to  respond  to  positions  stated  in  that 
testimony.  I  look  forward  to  the  testimony  of  all  of  our  witnesses. 
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Mr.  Clay.  I  assume  when  the  ranking  member  gets  here  he  will 
have  an  opening  statement  and  we  will  yield  to  him  for  that,  but 
for  now  we  will  proceed  with  the  hearing. 

If  we  don't  have  any  additional  statements,  the  subcommittee 
will  now  hear  testimony  from  the  witnesses  before  us  today. 

On  our  first  panel  we  will  hear  from  Valerie  C.  Melvin,  Director 
for  Human  Capital  and  Management  Information  Systems  Issues 
at  GAO.  Welcome,  Ms.  Melvin. 

Accompan3dng  Ms.  Melvin  is  Linda  D.  Koontz,  Director  for  Infor- 
mation Management  Issues  at  GAO.  Welcome  to  you. 

Ms.  Melvin  will  deliver  GAO's  formal  testimony,  and  both  will  re- 
spond to  questions. 

Thank  you  for  appearing  before  the  committee  today.  It  is  the 
policy  of  the  Committee  on  Oversight  and  Government  Reform  to 
swear  in  all  witnesses  before  they  testify.  Will  you  both  please 
stand  and  raise  your  right  hands? 

[Witnesses  sworn.] 

Mr.  Clay.  Let  the  record  reflect  that  the  witnesses  answered  in 
the  affirmative. 

Ms.  Melvin,  you  will  have  5  minutes  to  make  an  opening  state- 
ment. Your  complete  written  testimony  will  be  included  in  the 
hearing  record. 

The  lighting  system  and  the  timing  system  does  not  work,  so  we 
will  notify  you  probably  through  the  use  of  the  gavel  when  you  get 
close  to  the  5-minute  time  limit. 

Mr.  Turner,  thank  you  for  being  here. 

Mr.  Turner.  Mr.  Chairman,  thank  you. 

Mr.  Clay.  OK.  And  you  may,  if  you  have  an  opening  statement, 
you  may  proceed,  sir. 

Mr.  Turner.  Thank  you,  Mr.  Chairman.  I  appreciate  that  and  I 
apologize  for  my  being  late. 

I  want  to  thank  you  for  holding  this  important  hearing  on  pri- 
vacy concerns  and  health  information  technology.  Many  health  care 
experts  agree  that  investing  in  health  information  technology  will 
dramatically  improve  patient  care  while  simultaneously  decreasing 
health  care  costs. 

For  example,  Kettering  Medical  Center  in  my  District  and  its 
partners  have  created  the  Da5rton  Individual  Health  Record  Pilot 
Project,  IHR.  The  Da3rton  IHR  pilot  combines  a  patient's  health  in- 
formation from  different  sources  and  presents  that  information  to 
patients,  doctors,  and  other  health  care  professionals  in  a  format 
that  helps  all  health  participants  make  efficient,  appropriate  deci- 
sions about  their  care  options. 

The  Dayton  IHR  is  a  Web-based  record  that  allows  a  patient  to 
access  their  information  from  their  home,  the  office,  or  even  if  the 
patient  ends  up  in  an  emergency  room  in  another  town. 

While  it  is  important  that  technology  like  the  Dayton  IHR  be 
made  available,  it  should  not  be  available  at  the  sacrifice  of  patient 
privacy  and  security.  The  Da3^on  IHR  ensures  that  only  the  pa- 
tient and  the  physicians  granted  access  by  the  patient  can  look  at 
the  information  within  the  IHR. 

This  subcommittee  has  previously  discussed  privacy  concerns  in 
relation  to  Federal  IT  infrastructures,  and  I  expressed  my  concerns 
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with  how  IT  breaches  affect  individuals,  as  well  as  national  secu- 
rity. 

Health  care  raises  unique  privacy  concerns,  but  I  am  interested 
to  learn  how  we  can  work  with  all  stakeholders  to  address  impor- 
tant privacy  issues  and  facilitate  the  adoption  of  health  IT.  Health 
IT  holds  the  promise  of  increasing  the  quality  of  health  care,  as 
well  as  decreasing  health  care  costs  for  American  families.  We 
must  be  careful,  however,  to  reach  these  goals  without  sacrificing 
the  security  of  professional  health  information. 

I  look  forward  to  hearing  the  information  from  today's  witnesses 
on  this  important  topic,  and  I  3deld  back  the  remainder  of  my  time. 

Thank  you. 

Mr.  Clay.  Thank  you  so  much,  Mr.  Turner. 
We  will  begin  with  Ms.  Melvin. 
You  may  proceed. 

STATEMENT  OF  VALERIE  C.  MELVIN,  DIRECTOR  OF  INFORMA- 
TION MANAGEMENT  ISSUES,  GOVERNMENT  ACCOUNTABIL- 
ITY OFFICE,  ACCOMPANIED  BY  LINDA  D.  KOONTZ,  DIREC- 
TOR FOR  INFORMATION  MANAGEMENT  ISSUES,  GOVERN- 
MENT ACCOUNTABILITY  OFFICE 

Ms.  Melvin.  Thank  you,  Mr.  Chairman  and  Ranking  Member 
Turner. 

We  are  pleased  to  be  here  today  to  testify  on  privacy  issues  asso- 
ciated with  efforts  to  increase  the  use  of  information  technology  in 
the  health  care  industry.  As  noted,  with  me  today  is  Linda  Koontz, 
Director  of  Information  Management  Issues,  who  is  responsible  for 
GAO's  privacy  work. 

In  2004  President  Bush  issued  an  Executive  order  that  called  for 
widespread  adoption  of  interoperable  electronic  health  records  by 
2014  and  established  a  National  Coordinator  for  Health  IT  to  lead 
and  foster  public/private  coordination. 

The  benefits  of  health  IT  are  immense,  and  include  reducing 
medical  errors  and  improving  public  health  emergency  response. 
However,  the  increasing  use  of  technology  also  raises  concerns  re- 
garding the  extent  to  which  patient  privacy  is  protected.  The  chal- 
lenge is  to  strike  the  right  balance  between  patient  privacy  con- 
cerns and  the  numerous  benefits  that  IT  has  to  offer. 

Over  the  past  few  years,  we  have  issued  reports  and  testified  nu- 
merous times  on  HHS'  efforts  toward  defining  a  national  health  IT 
strategy.  Among  these  reports,  one  issued  last  January  highlighted 
HHS'  health  IT  privacy  initiatives.  Today,  as  requested,  I  will  sum- 
marize the  results  of  that  study,  highlighting  three  points:  the  im- 
portance of  having  a  comprehensive  privacy  approach,  HHS'  initial 
efforts  to  address  privacy  as  part  of  its  national  health  IT  strategy, 
and  additional  efforts  needed. 

Privacy  is  a  major  concern  in  the  health  care  industry,  given  the 
sensitivity  of  certain  medical  information  and  the  complexity  of  the 
health  care  delivery  system,  with  its  numerous  players  and  exten- 
sive information  exchange  requirements.  This  concern  increases 
with  the  transition  to  using  more  electronic  health  records.  A  com- 
prehensive privacy  approach  is  needed  to  determine  how  personally 
identifiable  information  will  be  disclosed,  used,  and  protected. 
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HHS  acknowledges  in  its  national  health  IT  framework  the  need 
to  protect  consumer  privacy,  and  it  plans  to  develop  and  implement 
privacy  and  security  policies,  practices,  and  standards  for  electronic 
health  information  exchange.  To  this  end,  HHS  and  its  Office  of  the 
National  Coordinator  have  initiated  several  efforts,  including 
awarding  contracts,  including  one  for  privacy  and  security  solu- 
tions; consulting  with  the  National  Committee  on  Vital  and  Health 
Statistics  to  develop  privacy  recommendations;  and  forming  a  con- 
fidentiality, privacy,  and  security  work  group  to  identify  and  ad- 
dress privacy  and  security  policy  issues. 

Ultimately,  the  National  Coordinator's  Office  intends  to  use  the 
results  of  these  initiatives  to  identify  policy  and  technical  solutions 
for  protecting  personal  health  information  as  part  of  its  continuing 
efforts  to  complete  a  national  health  IT  strategy.  However,  while 
these  efforts  are  good  building  blocks  on  which  progress  has  been 
made,  important  work  remains,  including  assessing  how  variations 
in  State  laws  affect  health  information  exchange,  acting  on  the  pri- 
vacy and  security  contractor's  findings  and  advisory  group  rec- 
ommendations, and  identifying  and  implementing  privacy  and  se- 
curity standards. 

Moreover,  how  and  when  HHS  plans  to  integrate  the  outcomes 
of  these  initiatives  is  unclear;  thus,  we  have  recommended  that 
HHS  develop  an  overall  privacy  approach  that  identifies  milestones 
in  an  accountable  entity  for  integrating  the  outcomes  of  its  health 
IT  contracts  and  advisory  group  recommendations,  ensures  that 
key  privacy  principles  are  fully  addresses,  and  addresses  key  chal- 
lenges associated  with  legal  and  policy  issues  and  the  disclosure, 
access  to,  and  security  of  information. 

In  recent  discussions  with  us,  the  National  Coordinator  commit- 
ted to  developing  a  plan  that  would  accomplish  these  objectives.  In 
this  regard,  he  announced  last  weekend  an  initiative  to  build  con- 
sensus around  a  harmonized  set  of  privacy  and  security  principles 
which  are  to  serve  as  a  framework  for  addressing  these  important 
issues. 

Overall,  Mr.  Chairman,  the  National  Coordinator's  intent  to  act 
on  such  an  approach  is  promising,  and  building  a  framework  based 
on  fair  information  principles  is  a  good  starting  point  for  moving 
forward;  however,  achieving  this  goal  to  safeguard  personal  health 
information  will  be  difficult  and  plagued  with  challenges  and  will 
necessitate  sustained  leadership  from  HHS  to  realize  success. 

This  concludes  our  prepared  statement.  We  would  be  pleased  to 
respond  to  any  questions  that  you  may  have. 

[The  prepared  statement  of  Ms.  Melvin  follows:] 
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HEALTH  INFORMATION  TECHNOLOGY 

Efforts  Continue  but  Comprehensive 
Privacy  Approach  Needed  for  National 
Strategy 


Why  GAD  Did  This  Study 

In  April  2004,  President  Bush  called 
for  the  Department  of  Health  and 
Human  Services  (HHS)  to  develop 
and  implement  a  strategic  plan  to 
guide  the  nationwide 
implementation  of  health 
information  technology  (IT).  The 
plan  is  to  recommend  methods  to 
ensure  the  privacy  of  electronic 
health  information. 

GAO  vras  asked  to  summarize  its 
January  2007  report.  The  report 
describes  the  steps  HHS  is  takirtg 
to  ensure  privacy  protection  as  part 
of  its  national  health  IT  strategy 
and  identifies  challenges 
associated  with  protecting 
electronic  health  information 
exchanged  within  a  nationwide 
health  information  network. 


What  GAO  Recommends 


GAO  recommended  that  HHS 
define  and  implement  an  overall 
privacy  approach  that  identifies 
milestones  for  integrating  the 
outcomes  of  its  initiatives,  ensures 
that  key  privacy  principles  are  fully 
addressed,  and  addresses 
chaUenges  associated  with  the 
nationwide  exchange  of  health 
information.  In  its  initial 
comments,  HHS  disagreed  with  this 
reconunendatiotv  and  stated  that  it 
had  established  a  comprehensive 
privacy  approach.  In  recent 
discussions  with  GAO,  the  Natioral 
Coordinator  for  Heiilth  FT  agreed 
with  the  need  for  an  overall 
approach  to  protect  health 
information  and  stated  that  the 
department  was  initiating  steps  to 
address  the  recommendation. 

www.gao  gov'cgi-bin/getrpl''GAO-07-988T. 

To  view  the  full  product,  including  the  scope 
and  methodology,  click  on  the  link  above. 
For  more  intonnrtation,  contact  Valerie  C. 
Melvin,  (202)  512-6304,  melvinv@gao,gov. 


What  GAO  Found 

HHS  and  its  Office  of  the  National  Coordinator  for  Health  IT  have  initiated 
actions  to  identify  solutions  for  protecting  personal  health  information 
through  several  contracts  and  with  two  health  information  advisory 
committees.  For  example,  in  late  2005,  HHS  aweurded  several  health  IT 
contracts  that  include  requirements  for  addressing  the  privacy  of  personal 
health  information  exchanged  within  a  nationwide  health  information 
exchange  network.  HHS's  privacy  and  security  solutions  contractor  is  to 
assess  the  organization-level  privacy-  and  security-related  policies,  practices, 
laws,  and  regulations  that  affect  interoperable  health  information  exchange. 
In  June  2006,  the  National  Committee  on  Vital  and  Health  Statistics  made 
recommendations  to  the  Secretary  of  HHS  on  protecting  the  privacy  of 
personal  health  information  within  a  nationwide  health  information  network 
and,  in  August  2006,  the  American  Health  Information  Community  convened 
a  work  group  to  address  privacy  and  security  policy  issues  for  nationwide 
health  information  exchange.  While  its  activities  are  intended  to  address 
aspects  of  key  principles  for  protecting  the  privacy  of  health  information, 
HHS  is  in  the  early  stages  of  its  efforts  and  has  therefore  not  yet  defined  an 
overall  approach  for  integrating  its  various  privacy-related  initiatives  and 
addressing  key  privacy  principles,  nor  has  it  defined  milestones  for 
integrating  the  results  of  these  activities. 

GAO  identified  key  challenges  associated  with  protecting  electronic 
^et^onaUj^altMnfon^^ 

Challenges  to  Exchanging  Electronic  Health  Information  


Understanding  and 
resolving  legal  and 
policy  issues 


Ensuring  appropriate 
disclosure 


Ensuring  individuals' 
rjgWs  lo  request  access 
and  amendments  lo 
health  infonmation 


•  Resolving  uncertainties  regarding  the  extent  of  federal  privacy 
protection  required  of  various  organizations 

» Understanding  and  resolving  data  sharing  issues  introduced  by 

varying  state  privacy  laws  and  organization-level  practices 
» Reaching  agreements  on  differing  interpretations  and  applications  of 
the  HIPAA  privacy  and  security  rules 

•  Determining  liability  and  enforcing  sancHons  in  case  of  ijreaches  of 
confidentiality  

•  Detennining  the  minimum  data  necessary  that  can  be  disclosed  in 
order  for  requesters  to  accompfish  their  intended  purposes 

» Determining  the  best  way  to  allow  patients  to  participate  In  and 
consent  to  electronic  health  information  exchange 
►  Educating  consumers  about  the  extent  to  which  their  consent  to  use 
and  disclose  health  information  applies  

•  Ensuring  that  individuals  understand  that  they  have  rights  to  request 
access  and  amendments  to  their  own  health  information 

» Ensuring  that  individuals'  amendments  are  property  made  and 

 tracked  across  multiple  locations  

Implementing  adequate    •  Determining  and  implementing  adequate  techniques  for 

security  measures  for        authenticating  requesters  of  health  information 

protecting  health  •  Implementing  proper  access  controls  and  maintaining  adequate  audit 

infonnation  trails  for  monitoring  access  to  health  data 

•  Protecting  data  stored  on  portable  devices  and  transmitted  between 
business  partners 


Sourer  GAO  analyuls  of  intomaHon  provided  by 
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Mr.  Chairman  and  Members  of  the  Subcommittee: 

We  appreciate  the  opportunity  to  participate  in  today's  hearing  on 
privacy  initiati\^s  associated  with  the  Department  of  Health  and 
Human  Services's  (HHS)  national  health  information  technology 
(IT)  strategy.  Key  privacy  principles  for  protecting  personal 
information  have  been  in  existence  for  years  and  provide  a 
foundation  for  privacy  laws,  practices,  and  policies.  Those  privacy 
principles  are  reflected  in  the  pro\isions  of  the  Health  Insurance 
Portability  and  Accountability  Act  of  1996  (HIPAA)  and  its 
implementing  regulations,  which  defme  the  circumstances  under 
which  an  individual's  protected  health  information  may  be  used  or 
disclosed. 

In  April  2004,  President  Bush  issued  an  executive  order  that  called 
for  the  development  and  implementation  of  a  strategic  plan  to  guide 
the  nationwide  implementation  of  interoperable  health  IT  in  both 
the  public  and  pri\^e  sectors.'  The  plan  is  to  address  prrvacy  and 
security  issues  related  to  interoperable  health  IT  and  recommend 
methods  to  ensure  appropriate  authorization,  authentication,  and 
encryption  of  data  for  transmission  over  the  Internet  The  order  also 
established  the  position  of  the  National  Coordinator  for  Health 
Information  Technology  vsithin  HHS  as  the  government  official 
responsible  for  developing  and  implementing  this  strategic  plan. 

At  your  request,  our  testimony  today  summarizes  our  January  2007 
report  that  (1)  describes  the  steps  HHS  is  taking  to  ensure  pri\^cy 
protection  as  part  of  the  national  health  IT  strategy  and  (2)  identifies 
challenges  associated  with  meeting  requirements  for  protecting 
personal  health  information  within  a  nationwide  health  im'ormation 
network.'  The  testimony  also  describes  relevant  activities  that  HHS 


Executive  Order  13336,  Incentives  for  the  Use  of  Health  I-nformation  Technt^ogy  and 
Establishing  the  Position  of  the  National  Health  Information  Technology  Coordinator 
(Washington,  D.C.:  Apr.  27,  2004). 

^AO,  HeaUh  I'nformation  TechwAogy:  Batiy  Efforts  Initiated  but  ComprOiensive 
Privacy  Approach  Needed  for  National  Strategy,  li  A!  »it7  iK  (Washington,  D.C.:  Jan.  10, 
2007).;  GAO,  Health  Iriformation  Technology.  Early  Efforts  Initiated,  bu  t  Comprehensive 
Privacy  Approach  Needed  for  National  Strategy;  ( '.At  >  (C-  J(M)  r  (Washington,  D.C.:  Feb  1, 
2007) 
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has  reported  undertaking  since  our  January  report.  In  preparing  for 
this  testimony,  we  relied  primarily  on  our  work  supporting  the 
report,  which  contains  a  detailed  overview  of  our  scope  and 
methodology.  The  work  on  which  this  testimony  is  based  was 
performed  in  accordance  with  generally  accepted  government 
auditing  standards. 


Results  in  Brief 

HHS  and  its  Office  of  the  National  Coordinator  for  Health  IT  have 
initiated  actions  to  study  the  protection  of  personal  health 
information  through  the  work  of  several  contracts,  the  National 
Committee  on  Vital  and  Health  Statistics,^  and  the  American  Health 
Information  Community.^  For  example: 

•  In  late  2005,  HHS  awarded  several  health  IT  contracts  that  include 
requirements  for  addressing  the  privacy  of  personal  health 
information  exchanged  within  an  electronic  nationwide  health 
information  network. 

•  In  summer  2006,  HHS's  contractor  for  privacy  and  security  solutions 
selected  33  states  and  Puerto  Rico  as  locations  in  which  to  perform 
assessments  of  organization-level  privacy-  and  security-related 
policies,  practices,  laws,  and  regulations  that  affect  interoperable 
health  information  exchange  and  to  propose  privacy  and  security 
protections  that  permit  interoperability. 

•  In  June  2006,  the  National  Committee  on  Vital  and  Health  Statistics 
(NCVHS)  provided  a  report  to  the  Secretary  of  HHS  that  made 
recommendations  on  protecting  the  privacy  of  personal  health 
information  within  a  nationwide  health  information  network. 


The  National  Committee  on  Vitai  and  Health  Statistics  was  established  in  1949  as  a  public 
advisory  committee  that  is  statutorily  authorized  to  advise  the  Secretary  of  HHS  on  health 
data,  statistics,  and  national  health  information  policy,  including  the  implementation  of 
health  IT  standards. 

*rhe  American  Health  Information  Community  is  a  federally  chartered  advisory  committee 
made  up  of  representath^es  from  both  tixe  public  and  private  health  care  sectors.  The 
community  provides  input  and  recommendations  to  HHS  on  making  health  records 
electronic  and  providing  assurance  that  the  privacy  and  security  of  those  records  are 
protected. 
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•  In  August  2006,  the  American  Health  Information  Community 
also  convened  a  work  group  to  address  privacy  and  security 
policy  issues  for  nationwide  health  information  exchange. 

HHS  and  its  Office  of  the  National  Coordinator  for  Health  IT  intend 
to  use  the  results  of  these  activities  to  identify  technology  and  policy 
solutions  for  protecting  personal  health  information  as  part  of  their 
continuing  efforts  to  complete  a  national  strategy  to  guide  the 
nationwide  implementation  of  health  IT.  While  these  activities  are 
intended  to  address  aspects  of  key  principles  for  protecting  health 
information,  HHS  is  in  the  early  stages  of  its  efforts  and  has  not  yet 
defined  an  overall  approach  for  integrating  its  various  privacy- 
related  initiatives  and  addressing  key  privacy  principles.  In  addition, 
milestones  for  integrating  the  results  of  these  activities  do  not  yet 
exist  Until  HHS  defines  an  integration  approach  and  milestones  for 
completing  these  steps,  its  overall  approach  for  ensuring  the  privacy 
and  protection  of  personal  health  information  exchanged 
throughout  a  nationwide  network  will  remaiin  unclear. 

Key  challenges  associated  with  protecting  personal  health 
information  are  understanding  and  resolving  legal  and  policy  issues, 
such  as  those  related  to  variations  in  states'  privacy  laws;  ensuring 
that  only  the  minimum  amoimt  of  information  necessary  is  disclosed 
to  only  those  entities  authorized  to  receive  the  information;  ensuring 
individuals'  rights  to  request  access  and  amendments  to  their  own 
health  information;  and  implementing  adequate  security  measures 
for  protecting  health  information. 

We  recommended  in  our  report  that  the  Secretary  of  HHS  define  and 
implement  an  overall  approach  for  protecting  health  information  as 
part  of  the  strategic  plan  called  for  by  the  President.  This  approach 
should  (1)  identify  milestones  for  integrating  the  outcomes  of  its 
privacy-related  initiatives,  (2)  ensure  that  key  privacy  principles  are 
fully  addressed,  and  (3)  address  key  challenges  associated  with  the 
nationwide  exchange  of  health  information. 

In  commenting  on  our  report,  HHS  disagreed  with  our 
recommendation  and  referred  to  the  department's  "comprehensive 
and  integrated  approach  for  ensuring  the  privacy  and  security  of 
health  information  within  nationwide  health  information  exchange." 
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While  we  acknowledged  in  our  report  that  HHS  had  initiated  key 
efforts  to  address  its  objective  to  protect  consumer  privacy,  we 
found  that  HHS's  approach  for  addressing  privacy  and  security  did 
not  address  elements  that  should  be  included  in  a  comprehensive 
privacy  approach,  such  as  milestones  for  integration,  identification 
of  the  entity  responsible  for  integrating  the  outcomes  of  privacy- 
related  initiatives,  and  plans  to  address  key  privacy  principles  and 
challenges.  In  recent  discussions  with  GAO,  the  National 
Coordinator  for  Health  IT  agreed  with  the  need  for  an  overall 
approach  to  protect  health  information  and  stated  that  the 
department  was  initiating  steps  to  address  our  recommendation. 

Further,  since  our  report  was  issued,  HHS  reported  that  it  has 
undertaken  additional  activities  to  address  privacy  and  security 
concerns.  For  example,  NCVHS's  subcommittee  on  privacy  and 
confidentiality  has  drafted  additional  recommendations  to  the 
Secretary  of  HHS  regarding  the  expansion  of  health  information 
privacy  law  coverage  to  entities  that  are  not  currently  covered.  In 
addition,  the  privacy  and  security  solutions  contractor  is  in  the 
process  of  analyzing  34  states'  final  assessments  of  organization- 
level  business  practices.  Also,  HHS  has  awarded  a  new  contract,  the 
State  Alliance  for  e-Health,  which  is  intended  to  identify  state-level 
health  IT  issues,  including  challenges  to  ensuring  the  privacy  of 
health  information  and  solutions  for  providing  security. 


Background 

According  to  the  Institute  of  Medicine,  the  federal  government  has  a 
central  role  in  shaping  nearly  all  aspects  of  the  health  care  industry 
as  a  regulator,  purchaser,  health  care  provider,  and  sponsor  of 
research,  education,  and  training.  According  to  HHS,  federal 
agencies  fund  more  than  a  third  of  the  nation's  total  health  care 
costs.  Given  the  level  of  the  federal  government's  participation  in 
providing  health  care,  it  has  been  urged  to  take  a  leadership  role  in 
driving  change  to  improve  the  quality  and  effectiveness  of  medical 
care  in  the  United  States,  including  expanded  adoption  of  IT. 
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In  April  2004,  President  Bush  called  for  the  widespread  adoption  of 
interoperable  electronic  health  records  within  10  years  and  issued 
an  executive  order  that  established  the  position  of  the  National 
Coordinator  for  Health  Information  Technology  within  HHS  as  the 
government  official  responsible  for  the  development  and  execution 
of  a  strategic  plan  to  guide  the  nationwide  implementation  of 
interoperable  health  IT  in  both  the  public  and  private  sectors."  In 
July  2004,  HHS  released  The  Decade  of  Health  Info-rmation 
Technology:  Delivering  Consumer-centric  and  Information-rich 
Health  Care — Framework  for  Strategic  ActionJ  This  framework 
described  goals  for  achieving  nationwide  interoperability  of  health 
IT  and  actions  to  be  taken  by  both  the  public  and  private  sectors  in 
implementing  a  strategy.  HHS's  Office  of  the  National  Coordinator 
for  Health  IT  updated  the  framework's  goals  in  Jime  2006  and 
included  an  objective  for  protecting  consumer  privacy.  It  identified 
tw^o  specific  strategies  for  meeting  this  objective — (1)  support  the 
development  and  implementation  of  appropriate  privacy  and 
security  policies,  practices,  and  standards  for  electroriic  health 
iitformation  exchange  and  (2)  develop  and  support  policies  to 
protect  against  discrimination  based  on  personal  health  information 
such  as  denial  of  medical  insurance  or  employment 

In  July  2004,  we  testified  on  the  benefits  that  effective 
implementation  of  IT  can  bring  to  the  health  care  industry  and  the 
need  for  HHS  to  provide  continued  leadership,  clear  direction,  and 
mechanisms  to  monitor  progress  in  order  to  bring  about  measurable 
improvements."  Since  then,  we  have  reported  or  testified  on  several 
occasions  on  HHS's  efforts  to  define  its  national  strategy  for  health 
IT.  We  have  recommended  that  HHS  develop  the  detailed  plans  and 
milestones  needed  to  ensure  that  its  goals  are  met  and  HHS  agreed 
with  our  recommendation  and  has  taken  some  steps  to  define  more 


'Executive  Order  13335. 

^Department  of  Health  and  Human  Services,  "Tfie  Decade  of  Health  Ir^formation 
Technology:  Delivering  Consumer-centric  and  Informati(rn-rich  Heal-th  Care:  A 
Pramexeork  firr  Strategic  Action"  (Viashinp-on,  D.C.:  July  21,  2004). 

'GAD,  Health  Care:  Nationcd  Strategy  Needed  to  Accelerate  the  Implementation  of 
Ivformation  Technology.  <  ;.\<  t-tU  ;n7l  (Washington,  DC:  July  14,  2004). 
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detailed  plans.'  In  our  report  and  testimonies,  we  have  described  a 
number  of  actions  that  HHS,  through  the  Office  of  the  National 
Coordinator  for  Health  IT,  has  taken  toward  accelerating  the  use  of 
IT  to  transform  the  health  care  industry,*  including  the  development 
of  its  framework  for  strategic  action.  We  have  also  described  the 
Office  of  the  National  Coordinator's  continuing  efforts  to  work  with 
other  federal  ^encies  to  revise  and  refine  the  goals  and  strategies 
identified  in  its  initial  framework.  The  current  draft  framework — 
The  Office  of  the  National  Coordinator:  Goals,  Objectives,  and 
Strategies — identifies  objectives  for  accomplishing  each  of  four 
goals,  along  with  32  high-level  strategies  for  meeting  the  objectives, 
including  the  two  strategies  for  protecting  consumer  privacy. 


Health  Insurance  Portability  and  Accountability  Act  of  1996 

Federal  health  care  reform  initiatives  of  the  early-  to  mid-1990s  were 
inspired  in  part  by  public  concern  about  the  privacy  of  personal 
medical  information  as  the  use  of  health  IT  increased.  Congress, 
recognizing  that  benefits  and  efficiencies  could  be  gained  by  the  use 
of  information  technology  in  health  care,  also  recognized  the  need 
for  comprehensive  federal  medical  privacy  protections  and 
consequently  passed  HIPAA.  This  law  provided  for  the  Secretsiry  of 
HHS  to  establish  the  first  broadly  applicable  federal  privacy  and 
security  measures  designed  to  protect  individual  health  care 
information. 

HIPAA  required  the  Secretary  of  HHS  to  promulgate  regulatory 
standards  to  protect  certain  personal  health  information  held  by 
covered  entities,  which  are  certain  health  plans,  health  care 


^AO,  Health  Information  Technology:  HHS  Is  Continuing  Efforts  to  Define  Its  National 
Strategy,  <iA()-(Mi.lOTrr (Washington,  D.C.:Sept  1,2006). 

'GAG,  Health  Irtformation  Technology:  HHS  Is  Taking  Steps  to  Develop  a  National 
Strategy,  •  i A<      lij.s  (Washington,  D.C.:  May  27, 2005);  GAG,  Health  Informalion 
Technology:  HHS  Is  Continuing  Efforts  to  Define  a  National  Strategy,  i;A(  Miii-.J)()  I' 
(Washington.  D.C.:  Mar.  15.  2006);  (;A(M«i-I(iTn 
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providers,  and  health  care  clearinghouses.'"  It  also  required  the 
Secretary  of  HHS  to  adopt  security  standards  for  covered  entities 
that  maintain  or  transmit  health  information  to  ensure  that  such 
irtformation  is  reasonably  and  appropriately  safeguarded.  The  law 
requires  that  covered  entities  take  certain  measures  to  ensure  the 
confidentiality  and  integrity  of  the  information  and  to  protect  it 
against  reasonably  anticipated  unauthorized  use  or  disclosure  and 
threats  or  hazards  to  its  security. 

HIPAA  provides  authority  to  the  Secretary  to  enforce  these 
standards.  The  Secretary  has  delegated  administration  and 
enforcement  of  privacy  standards  to  the  department's  Office  for 
Civil  Rights  and  enforcement  of  the  security  standards  to  the 
department's  Centers  for  Medicare  and  Medicaid  Services. 

Most  states  have  statutes  that  in  varying  degrees  protect  the  privacy 
of  personal  health  information.  HIPAA  recognizes  this  and 
specifically  provides  that  its  implementing  regulations  do  not 
preempt  contrary  provisions  of  state  law  if  the  state  laws  impose 
more  stringent  requirements,  standards,  or  specifications  than  the 
federal  privacy  rule.  In  this  way,  the  law  and  its  implementing  rules 
establish  a  baseline  of  mandatory  minimum  privacy  protections  and 
define  basic  principles  for  protecting  personal  health  information. 

The  Secretary  of  HHS  first  issued  HIPAA's  Privacy  Rule  in 
December  2000,  following  public  notice  and  comment,  but  later 
modified  the  rule  in  August  2002.  Subsequent  to  the  issuance  of  the 
Privacy  Rule,  the  Secretary  issued  the  Security  Rule  in  February 
2003  to  safeguard  electronic  protected  health  information  and  help 


'"HIPAA's  protection  of  health  infomiation  is  iimited  by  the  scope  of  its  defined  terms. 
"Health  information"  is  defined  as  any  information  that  is  created  or  received  by  a  health 
care  provider,  health  plan,  public  health  authority,  employer,  life  insurer,  school  or 
university,  or  health  care  clearinghouse  and  related  to  any  physical  or  mental  health  or 
condition  of  an  individual,  the  provision  of  health  care  to  an  individual,  or  any  payment  for 
the  provision  of  health  care  to  an  individual.  "Covered  entities'  are  health  plans  that 
provide  or  pay  for  the  medical  care  of  individuals,  health  care  providers  that  electronically 
transmit  health  information  in  connection  with  any  of  the  transactions  regulated  by  the 
statute,  and  health  care  clearinghouses  that  receive  health  infonnatlon  from  other  entities 
and  process  or  facilitate  the  processing  of  that  information  for  those  entities.  Our 
description  of  HIPAA's  protection  of  the  privacy  or  personal  health  information  is  limited 
accordingly. 
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ensure  that  covered  entities  have  proper  security  controls  in  place 
to  provide  assurance  that  the  information  is  protected  from 
unwarranted  or  unintentional  disclosure. 

The  Privacy  Rule  reflects  basic  privacy  principles  for  ensuring  the 
protection  of  personal  health  informjUion.  Table  1  summarizes  these 
principles. 


Table  1:  Key  Privacy  Principles  in  HIPAA's  Privacy  Rule 


HIPAA  Privacy  Rule  principle 


Uses  and  disclosures 


Provides  limits  to  the  circumstances  in  which  an  individual's  protected  health  information 
may  be  used  or  disclosed  by  covered  entities  and  provides  for  accounting  of  certain 
disclosures;  requires  covered  entities  to  make  reasonable  efforts  to  disclose  or  use  only  the 
minimum  information  necessary  to  accomplish  the  intended  purpose  for  the  uses, 
disclosures,  or  requests,  with  certain  exceptions  such  as  for  treatment  or  as  required  by  law. 
Requires  most  covered  entities  to  provide  a  notice  of  their  privacy  practices  including  how 

personal  health  infonnation  may  be  used  and  disclosed.  

Establishes  individuals'  rights  to  review  and  obtain  a  copy  of  their  protected  health 

 information  held  in  a  designated  record  set.'  

Security"  Requires  covered  entities  to  safeguard  protected  health  information  from  inappropriate  use 

 or  disclosure.  

AmerKlments                            Gives  individuals  the  right  to  request  from  covered  entities  changes  to  inaccurate  or 
 inconrtplete  protected  health  information  held  in  a  designated  record  set.'  


Administrative  requirements 


Requires  covered  entities  to  analyze  thteir  own  needs  and  implement  solutions  appropriate 
for  their  own  environment  based  on  a  basic  set  of  requirennents  for  which  they  are 

accountable.  

Requires  covered  entities  to  obtain  the  individual's  written  authorization  for  uses  and 
disclosures  of  personal  health  information  with  certain  exceptions,  such  as  for  treatnwnt. 
payment,  and  health  care  operations,  or  as  required  by  law.  Covered  entities  may  choose  to 
obtain  the  incfividuai's  consent  to  use  or  disclose  protected  health  information  to  carry  out 
treatment,  payment  or  health  care  operations,  but  are  not  required  to  do  so.  

Source.  GAO  analysa  of  mPAA  Privacy  Rule. 

'According  to  the  Privacy  Rule,  a  designated  record  set  is  a  group  of  records  maintained  by  or  for  a 
covered  entity  that  are  (1)  the  medical  records  and  billing  records  atiout  individuals  maintained  by  or 
for  a  covered  health  care  provider;  (2)  the  enrollmer^,  payment,  claims  adjudication,  and  case  or 
medical  management  record  systems  maintained  t>y  or  for  a  hesilth  plan:  or  (3)  used,  in  whole  or  in 
part,  by  or  for  the  covered  entity  to  make  decisions  at>out  individuals. 

'TTie  Security  Rule  further  defines  safeguards  that  covered  entities  must  implement  to  provide 
assurance  that  health  infomoation  is  protected  from  Inappropriate  use  and  disclosure. 
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HHS  Has  Initiated  Actions  to  Identify  Solutions  for  Protecting 
Personal  Health  Information  but  Has  Not  Defined  an  Overall 
Approach  for  Addressing  Privacy 

HHS  and  its  Office  of  the  National  Coordinator  for  Health  IT  have 
irutiated  actions  to  identify  solutions  for  protecting  health 
information.  Specifically,  HHS  awarded  several  health  IT  contracts 
that  include  requirements  for  developing  solutions  that  comply  with 
federal  privacy  and  security  requirements,  consulted  with  the 
National  Committee  on  Vital  and  Health  Statistics  (NCVHS)  to 
develop  reconunendations  regarding  pri\^cy  and  confidentiality  in 
the  Nationwide  Health  Information  Network,  and  formed  the 
American  Health  Information  Conununity  (AHIC)  Confidentiality, 
Privacy,  and  Security  Workgroup  to  frame  privacy  and  security 
poUcy  issues  and  identify  viable  options  or  processes  to  address 
these  issues.  The  Office  of  the  National  Coordinator  for  Health  IT 
intends  to  use  the  results  of  these  activities  to  identify  technology 
and  policy  solutions  for  protecting  persor^al  health  information  as 
part  of  its  continuing  efforts  to  complete  a  national  strategy  to  guide 
the  nationwide  implementation  of  health  IT.  However,  HHS  is  in  the 
early  stages  of  identifying  solutions  for  protecting  personal  health 
information  and  has  not  yet  defined  an  overall  approach  for 
integrating  its  various  pri\^y-related  initiatives  and  for  addressing 
key  privacy  principles. 


HHS's  Contracts  Are  to  Address  Privacy  and  Security  Policy  and  Standards  for 
Nationwide  Health  Information  Exchange 

HHS  awarded  four  major  health  IT  contracts  in  2005  intended  to 
advance  the  nationwide  exchange  of  health  information — Privacy 
and  Seciuity  Solutions  for  Interoperable  Health  Information 
Exchange,  Standards  Harmonization  Process  for  Health  IT, 
Nationwide  Health  Information  Network  Prototypes,  and 
Compliance  Certification  Process  for  Health  IT.  These  contracts 
include  requirements  for  developing  solutions  that  comply  with 
federal  privacy-  requirements.  The  contract  for  privacy  and  security 
solutions  is  intended  to  specifically  address  privacy  and  security 
policies  and  practices  that  affect  nationwide  health  information 
exchange. 
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HHS's  contract  for  privacy  and  security  solutions  is  intended  to 
provide  a  nationwide  synthesis  of  information  to  inform  privacy  and 
security  policymaking  at  federal,  state,  and  local  levels  and  the 
Nationwide  Health  Information  Network  prototype  solutions  for 
supporting  health  information  exchange  across  the  nation.  In 
summer  2006,  the  privacy  and  security  solutions  contractor  selected 
34  states  and  territories  as  locations  in  which  to  perform 
assessments  of  organization-level  privacy-  and  security-related 
policies  and  practices  that  affect  interoperable  electronic  health 
information  exchange  and  their  bases,  including  laws  and 
regulations.  The  contractor  is  supporting  the  states  and  territories 
as  they  (1)  assess  variations  in  organization-level  business  policies 
and  state  laws  that  affect  health  information  exchange,  (2)  identify 
and  propose  solutions  while  preserving  the  privacy  and  security 
requirements  of  applicable  federal  and  state  laws,  and  (3)  develop 
detailed  plans  to  implement  solutions. 

The  privacy  and  security  solutions  contractor  is  to  develop  a 
nationwide  report  that  synthesizes  and  summarizes  the  variations 
identified,  the  proposed  solutions,  and  the  steps  that  states  and 
territories  are  taking  to  implement  their  solutions.  It  is  also  to 
address  policies  and  practices  followed  in  nine  domains  of  interest 
(1)  user  and  entity  authentication,  (2)  authorization  and  access 
controls,  (3)  patient  and  provider  identification  to  match  identities, 
(4)  information  transmission  security  or  exchange  protocols 
(encryption,  etc.),  (5)  information  protections  to  prevent  improper 
modification  of  records,  (6)  information  audits  that  record  and 
monitor  the  activity  of  health  information  systems,  (7) 
administrative  or  physical  security  safeguards  required  to 
implement  a  comprehensive  security  platform  for  health  IT,  (8)  state 
law  restrictions  about  information  types  and  classes  and  the 
solutions  by  which  electronic  personal  health  information  can  be 
viewed  and  exchanged,  and  (9)  iiiformation  use  and  disclosure 
policies  that  arise  as  health  care  entities  share  clinical  health 
information  electronically.  These  domains  of  interest  address  the 
use  and  disclosure  and  security  privacy  principles. 
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The  National  Committee  on  Vital  and  Healtii  Statistics  Made  Recommendations  for 
Addressing  Privacy  and  Security  within  a  Nationwide  Health  Information  Network 

In  June  2006,  NCVHS,  a  key  national  health  information  advisory 
committee,  presented  to  the  Secretary  of  HHS  a  report 
recommending  actions  regarding  privacy  and  confidentiality  in  the 
Nationwide  Health  Information  Network.  The  recommendations 
cover  topics  that  are,  according  to  the  committee,  central  to 
challenges  for  protecting  health  information  privacy  in  a  national 
health  information  exchange  environment.  The  recommendations 
address  aspects  of  key  privacy  principles  including  (1)  the  role  of 
individuals  in  making  decisions  about  the  use  of  their  personal 
health  information,  (2)  policies  for  controlling  disclosures  across  a 
nationwide  health  informatior\  network,  (3)  regulatory  issues  such 
as  jurisdiction  and  ertforcement,  (4)  use  of  information  by  non- 
health  care  entities,  and  (5)  establishing  and  maintaining  the  public 
trust  that  is  needed  to  ensure  the  success  of  a  nationwide  healtJi 
information  network.  The  recommendations  are  l)eing  evaluated  by 
the  AHIC  work  groups,  the  Certification  Commission  for  Health  IT, 
the  Health  Information  Technology  Standards  Panel,  and  other  HHS 
partners. 

In  October  2006,  the  committee  recommended  that  HIPAA  privacy 
protections  be  extended  beyond  the  current  definition  of  covered 
entities  to  include  other  entities  that  handle  personal  health 
information.  It  also  called  on  HHS  to  create  policies  and  procedures 
to  accurately  match  patients  with  their  health  records  and  to  require 
functionality  that  allows  patient  or  physician  privacy  preferences  to 
follow  records  regardless  of  location.  The  committee  intends  to 
continue  to  update  and  refine  its  recommendations  as  the 
architecture  and  requirements  of  the  network  advance. 


The  American  Health  Information  Community's  Confidentiality,  Privacy,  and  Security 
Workgroup  Is  to  Develop  Recommendations  to  Establish  a  Privacy  Policy  Framework 

AHIC,  a  commission  that  provides  input  and  recommendations  to 
HHS  on  nationwide  health  IT,  formed  the  Confidentiality,  Privacy, 
and  Security  Workgroup  in  July  2006  to  frame  privacy  and  security 
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policy  issues  and  to  solicit  broad  public  input  to  identify  viable 
options  or  processes  to  address  these  issues."  The 
recommendations  to  be  developed  by  this  work  group  are  intended 
to  establish  an  initial  policy  framework  and  address  issues  including 
methods  of  patient  identification,  methods  of  authentication, 
mechanisms  to  ensure  data  integrity,  methods  for  controlling  access 
to  personal  health  information,  policies  for  breaches  of  personal 
health  information  confidentiality,  guidelines  and  processes  to 
determine  appropriate  secondary  uses  of  data,  and  a  scope  of  work 
for  a  long-term  independent  advisory  body  on  privacy  and  security 
policies. 

The  work  group  has  defined  two  initial  work  areas — identity 
proofing'-  and  user  authentication" — as  initial  steps  necessary  to 
protect  confidentiality  and  security.  These  two  work  areas  address 
the  security  principle.  In  January  2007,  the  work  group  presented 
recommendations  on  performing  patient  identity  proofing  to  AHIC. 
The  recommendations  were  approved  by  AHIC  and  submitted  to 
HHS.  The  work  group  intends  to  address  other  key  privacy 
principles,  including,  but  not  limited  to  maintaining  data  integrity 
and  control  of  access.  It  plans  to  address  policies  for  breaches  of 
confidentiality  and  guidelines  and  processes  for  determining 
appropriate  secondary  uses  of  health  information,  an  aspect  of  the 
use  and  disclosure  privacy  principle. 


"in  May  2006,  several  of  the  AHIC  work  groups  recommended  the.  formation  of  an 
additional  work  group  composed  of  privacy,  security,  clinical,  and  technology  experts  from 
each  of  the  other  AIllC  work  groups.  The  AHIC  Confidentiality,  Privacy,  and  Security 
Workgroup  first  convened  in  August  2006. 

■^Identity  proofing  is  the  process  of  providing  sxifficient  information  (e.g.,  identity  history, 
credentiaJs,  documents)  to  establish  and  verify  a  person's  identity.  Identity  proofing 
already  takes  place  throughout  many  industries,  including  health  care.  However,  a  standard 
methodology  does  not  exist 

"User  authentication  is  the  process  of  confirming  a  person's  claimed  identity,  often  teed  as 
a  way  to  grant  access  to  data,  resources,  and  other  network  services.  While  a  user  name 
and  password  provide  a  foundational  level  of  authentication,  several  other  techniques, 
most  notably  two-factor  authentication,  have  additional  capabilities. 
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HHS's  Collective  Initiatives  Are  Intended  to  Address  Aspects  of  Key  Privacy  Principles, 
but  an  Overall  Approach  for  Addressing  Privacy  Has  Not  Been  Defined 

HHS  has  taken  steps  intended  to  address  aspects  of  key  privacy 
principles  through  its  contracts  and  with  advice  and 
recommendations  from  its  two  key  health  IT  advisory  committees. 
For  example,  the  privacy  and  security  solutions  contract  is  intended 
to  address  all  the  key  privacy  principles  in  HIPAA.  Additionally,  the 
uses  and  disclosures  principle  is  to  be  further  addressed  through  the 
advisory  committees'  recommendations  and  guidance.  The  security 
principle  is  to  be  addressed  through  the  definition  of  functional 
requirements  for  a  nationwide  health  information  network,  the 
definition  of  security  criteria  for  certifying  electronic  health  record 
products,  the  identification  of  irrformation  exchange  standards,  and 
recommendations  from  the  ad\isory  committees  regarding,  among 
other  things,  methods  to  establish  and  confirm  a  person's  identity. 
The  conunittees  have  also  made  recommendations  for  addressing 
authorization  for  uses  and  disclosure  of  health  information  and 
intend  to  develop  guidelines  for  determiiung  appropriate  secondary 
uses  of  data. 

HHS  has  made  some  progress  toward  protecting  personal  healli\ 
information  through  its  various  privacy-related  initiatives.  For 
example,  during  the  past  2  years,  HHS  has  defined  initial  criteria  and 
procedures  for  certifying  electronic  health  records,  resulting  in  the 
certification  of  over  80  IT  vendor  products.  In  January  2007,  HHS 
contractors  presented  4  initial  prototypes  of  a  Nationwide  Healtii 
Information  Network  (NHIN).  However,  the  other  contracts  have 
not  yet  produced  fmal  results.  For  example,  the  privacy  and  security 
solutions  contractor  has  not  yet  reported  its  nationwide  assessment 
of  state  and  organizational  policy  variations.  Additionally,  HHS  has 
not  accepted  or  agreed  to  implement  the  recommendations  made  in 
June  2006  by  the  NCVHS,  and  the  AHIC  Privacy,  Security,  and 
Confidentiality  Workgroup  is  in  the  very  early  stages  of  efforts  that 
are  intended  to  result  in  privacy  policies  for  nationwide  healtti 
information  exchange. 

HHS  is  in  the  early  phases  of  identifying  solutions  for  safeguarding 
personal  health  information  exchanged  through  a  nationwide  health 
irtformation  network  and  has  not  yet  defined  an  approach  for 
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integrating  its  various  efforts  or  for  fully  addressing  key  privacy 
principles.  For  example,  milestones  for  integrating  the  results  of  its 
various  privacy-related  initiatives  and  resolving  differences  and 
inconsistencies  have  not  been  defined,  and  it  has  not  been 
determined  which  entity  participating  in  HHS's  privacy-related 
activities  is  re^nsible  for  integrating  these  various  initiatives  and 
the  extent  to  which  their  results  will  address  key  privacy  principles. 
Until  HHS  defines  an  integration  approach  and  milestones  for 
completing  these  steps,  its  overall  approach  for  ensuring  the  privacy 
and  protection  of  personal  health  information  exchanged 
throughout  a  nationwide  network  will  remain  unclear. 


The  Health  Care  Industry  Faces  Challenges  in  Protecting  Electronic 
Health  Information 

The  increased  use  of  information  technology  to  exchange  electronic 
health  information  introduces  challenges  to  protecting  individuals' 
personal  health  irtformation.  In  our  report,  we  identify  and 
summarize  key  challenges  described  by  health  irtformation 
exchange  organizations:  understanding  and  resolving  legal  and 
policy  issues,  particularly  those  resulting  from  varying  state  laws 
and  policies;  ensuring  appropriate  disclosures  of  the  minimum 
amount  of  health  information  needed;  ensuring  individuals'  rights  to 
request  access  to  and  amendments  of  health  information  to  ensure  it 
is  correct;  and  implementing  adequate  security  measures  for 
protecting  health  information.  Table  2  summarizes  these  challenges. 
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Tabte  2:  Challenges  to  Exchanging  Electronic  Health  information 


Area  

Understanding  and  resolving  legal  and  *  Resolving  uncertainties  regarding  varying  the  extent  of  federal  privacy  protection  required 
policy  issues  various  organizations 

•  Understanding  and  resolving  data-sharing  issues  introduced  by  varying  state  privacy 
laws  and  organization-level  practices 

•  Reaching  agreement  on  organizations'  differing  interpretations  and  applications  of  HIPAA 
privacy  and  security  rules 

 »  Determining  liat>ility  and  enforcing  sanctions  in  cases  of  breach  of  confidentiality  

Ensuring  appropriate  disclosure  *  Determining  the  minimum  data  necessary  that  can  tte  disclosed  in  order  for  requesters  to 

accomplish  their  intended  purposes 

•  Obtaining  individuals'  authorization  and  consent  for  use  and  disclosure  of  personal  health 
information 

•  Determining  the  best  way  to  allow  individuals  to  participate  in  and  consent  to  electronic 
health  information  exchange 

•  Educating  consumers  so  that  they  understand  the  extent  to  which  their  consent  to  use 
 and  disclose  health  information  applies  

Ensuring  individuals'  rights  to  request      •  Ensuring  that  individuals  understand  that  they  have  rights  to  request  access  and 

access  and  amendments  to  health  amendments  to  their  own  health  information  to  ensure  that  it  is  correct 

information  to  ensure  it  is  correct  •  Ensuring  that  individuals'  amendments  are  property  made  and  tracked  across  multiple 

 locations  

Implementing  adequate  security  *  Determining  and  implementing  adequate  techniques  for  authenticating  requesters  of 

measures  for  protecting  health  health  information 

information  •  Implementing  proper  access  controls  and  maintaining  adequate  audit  trails  for  monitoring 

access  to  health  data 

 «  Protecting  data  stored  on  portable  devices  and  transmitted  between  business  partners 

Soures;  GAO  analysis  ot  intofmation  provictea  by  stalB-l9v«l  health  (rtormabon  axcfiange  oiganlzatioiw,  federal  nsaltti  care  providers. 


Understanding  and  Resolving  Legal  and  Policy  Issues 

Health  information  exchange  organizations  bring  together  multiple 
and  diverse  health  care  providers,  including  physicians,  pharmacies, 
hospitals,  and  clinics  that  may  be  subject  to  varying  legal  and  policy 
requirements  for  protecting  health  information.  As  health 
information  exchange  expands  across  state  lines,  organizations  are 
challenged  with  understanding  and  resolving  data-sharing  issues 
introduced  by  varying  state  privacy  laws.  HHS  recognized  that 
sharing  health  information  among  entities  in  states  with  varying 
laws  introduces  challenges  and  intends  to  identify  variations  in  state 
laws  that  affect  privacy  and  security  practices  through  the  privacy 
and  security  solutions  contract  that  it  awarded  in  2005. 
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Ensuring  Appropriate  Disclosure 

Several  orgjinizations  described  issues  associated  witli  ensuring 
appropriate  disclosure,  such  as  determining  the  minimum  data 
necessary  that  can  be  disclosed  in  order  for  requesters  to 
accomplish  the  intended  pmposes  for  the  use  of  the  health 
information.  For  example,  dieticians  and  health  claims  processors 
do  not  need  access  to  complete  health  records,  whereas  treating 
physicians  generally  do.  Organizations  also  described  issues  with 
obtaining  individuals'  authorization  and  consent  for  uses  and 
disclosures  of  personal  health  iriformation  and  difficulties  with 
determining  the  best  way  to  allow  individuals  to  participate  in  and 
consent  to  electronic  health  information  exchange.  In  June  2006, 
NCVHS  recommended  to  the  Secretary  of  HHS  that  the  department 
monitor  the  development  of  different  approaches  and  continue  an 
open,  transparent,  and  public  process  to  evaluate  whether  a  national 
policy  on  this  issue  would  be  appropriate. 

Ensuring  Individuals'  Rights  to  Request  Access  and 
Amendments  to  Health  Information  to  Ensure  It  Is  Correct 

As  the  exchange  of  personal  health  information  expands  to  include 
multiple  providers  and  as  individuals'  health  records  include 
increasing  amounts  of  information  from  many  sources,  keeping 
track  of  the  origin  of  specific  data  and  ensuring  that  incorrect 
information  is  corrected  and  removed  from  future  health 
information  exchange  could  become  increasingly  difficult. 
Additionally,  as  health  information  is  amended,  HIPAA  rules  require 
that  covered  entities  make  reasonable  efforts  to  notify  certain 
providers  and  other  persons  that  previously  received  the  mdividuals' 
irtformation.  The  challenges  associated  with  meeting  this 
requirement  are  expected  to  become  more  prevalent  as  the  numbers 
of  organizations  exchanging  health  information  increases. 

Implementing  Adequate  Security  Measures  for  Protecting 
Health  Information 

Adequate  implementation  of  security  measures  is  another  challenge 
that  health  information  exchange  providers  must  overcome  to 
ensure  that  health  information  is  adequately  protected  as  health 
Information  exchange  expands.  For  example,  user  authentication 
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will  become  more  difficult  when  multiple  organizations  that  employ 
different  techniques  exchange  information.  The  AHIC 
Confidentiality,  Privacy,  and  Security  Workgroup  recognized  this 
difficulty  and  identified  user  authentication  as  one  of  its  initial  work 
areas  for  protecting  confidentiality  and  security. 


Implementation  of  GAO  Recommendations  Should  Help  Ensure  that 
HHS's  Goal  to  Protect  Personal  Health  Information  is  Met 

To  increase  the  likelihood  that  HHS  will  meet  its  strategic  goal  to 
protect  personal  health  information,  we  recommended  in  our 
report"  that  the  Secretary  of  Health  and  Human  Services  define  and 
implement  an  overall  approach  for  protecting  health  information  as 
part  of  the  strategic  plan  called  for  by  the  President  This  approach 
should: 

1.  Identify  milestones  and  the  entity  responsible  for  integrating  the 
outcomes  of  its  privacy-related  initiatives,  including  the  results 
of  its  four  health  IT  contracts  and  recommendatioi\s  from  the 
NCVHS  and  AHIC  advisory  conunittees. 

2.  Ensure  that  key  privacy  principles  in  HIPAA  are  fiilly  addressed. 

3.  Address  key  challenges  associated  with  legal  and  policy  issues, 
disclosure  of  personal  health  information,  individuals'  rights  to 
request  access  and  amendments  to  health  information,  and 
security  measures  for  protecting  health  information  within  a 
nationwide  exchange  of  health  informatioiL 


In  commenting  on  a  draft  of  our  report,  HHS  disagreed  with  our 
recommendation  and  referred  to  "^e  department's  comprehensive 
and  integrated  approach  for  ensuring  the  privacy  and  security  of 
health  iitformation  within  nationwide  health  information  exchange." 
However,  in  recent  discussions  with  GAO,  the  National  Coordinator 
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for  Health  IT  agreed  with  the  need  for  an  overall  approach  to 
protect  health  mformation  and  stated  that  the  department  was 
initiating  steps  to  address  our  recommendation. 

Further,  since  our  report  was  issued,  HHS  has  reported  that  it  has 
undertaken  additional  activities  to  address  privacy  and  security 
concerns.  For  example: 

•  NCVHS's  subcommittee  on  privacy  and  confidentiality  is  drafting 
additional  recommendations  for  the  Secretary  of  HHS  regarding  the 
expansion  of  the  HIPAA  Privacy  Rule  coverage  to  entities  that  are 
not  currently  covered.  The  recommendations  are  expected  to  be 
presented  to  the  NCVHS  at  its  meeting  later  this  month. 

•  The  privacy  and  security  solutions  contractor  is  in  the  process  of 
analyzing  and  summarizing  34  states'  final  assessments  of 
organization-level  business  practices  mid  summaries  of  critical 
observations  and  key  issues.  Its  initial  assessment  identified 
challenges  that  closely  parallel  those  identified  in  our  report.  HHS 
plans  to  finalize  the  findings  and  final  reports  from  the  contractor 
after  the  contract  ends  at  the  end  of  this  month. 

•  HHS  awarded  another  contract,  the  State  Alliance  for  e-Heaith, 
which  is  intended  to  address  state-level  health  IT  Issues,  including 
privacy  and  security  challenges  and  solutions.  In  January  2007,  the 
alliance  identified  the  protection  of  health  information  as  a  guiding 
principle  for  its  work.  The  alliance  plans  to  identify  privacy 
practices  and  policies  to  help  ensure  the  protection  of  personal 
health  information  exchanged  within  a  nationwide  health 
information  network. 


In  summary,  concerns  about  the  protection  of  personal  health 
information  exchanged  electronically  within  a  nationwide  health 
information  network  have  increased  as  the  use  of  health  IT  and  the 
exchange  of  electronic  health  information  has  also  increased.  HHS 
and  its  Office  of  the  National  Coordinator  for  Health  IT  have 
initiated  activities  that,  collectively,  are  intended  to  protect  health 
information  and  address  aspects  of  key  privacy  principles.  While 
progress  continues  to  be  made  through  the  various  initiatives,  it 
remains  highly  important  that  HHS  define  a  comprehensive 
approach  and  milestones  for  integrating  its  efforts,  resolve 
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differences  and  inconsistencies  among  them,  fully  address  key 
privacy  principles,  ensure  that  recommendations  from  its  advisory 
committees  are  effectively  implemented,  and  sequence  the 
implementation  of  key  activities  appropriately.  If  implemented 
properly,  HHS's  planned  actions  could  help  improve  efforts  to 
address  key  privacy  principles  and  the  related  challenges,  and 
ensure  that  the  department  meets  its  goal  to  safeguard  personal 
health  information  as  part  of  its  national  strategy  for  health  IT. 

Mr.  Chairman  and  members  of  the  subcommittee,  this  concludes  our 
statement  We  would  be  happy  to  respond  to  any  questions  that  you 
or  members  of  the  subcommittee  may  have  at  this  time. 


Contacts  and  Acknowledgments 

If  you  have  any  questions  on  matters  discussed  in  this  testimony, 
please  contact  Linda  D.  Koontz  at  (202)  512-6240  or  Valerie  C. 
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Mr.  Clay.  Thank  you  so  much,  Ms.  Melvin. 

According  to  their  written  testimony,  HHS  states  that  it  has  in- 
vested significant  resources  and  efforts  in  our  nationwide  strategy 
for  protecting  health  information.  Our  national  health  IT  agenda 
approaches  our  privacy  and  security  through  a  full  suite  of  activi- 
ties both  in  form  of  current  work  and  preparing  for  future  needs. 
Specifically,  HHS  mentions  authorizing  a  review  of  34  States  and 
Puerto  Rico  to  analyze  how  their  laws  are  affecting  the  sharing  of 
health  information.  Yet,  GAO's  January  2007  report  cites  HHS' 
lack  of  an  overall  strategic  plan  for  integrating  its  privacy  initiative 
into  a  health  information  network.  The  report  also  concludes  that 
HHS  lacks  appropriate  milestones  to  measure  its  progress  to  meet 
these  requirements. 

With  that  in  mind,  I  would  like  to  ask  the  following  question:  can 
you  explain  how  HHS  is  addressing  the  legal  barriers  associated 
with  variances  in  State  privacy  laws  and  methods  to  limit  the  types 
of  information  disclosed  through  a  nationwide  exchange?  And  is  it 
true  that  HHS  disagrees  with  GAO's  recommendation  to  establish 
milestones  to  measure  progress  and  outcomes  in  the  development 
of  privacy  protections  for  a  network?  If  so,  why? 

Ms.  Melvin.  When  our  report  was  issued,  our  concern  was  that 
HHS  did  not  have,  as  you  said,  an  integrated  plan  that  would  allow 
all  the  various  initiatives  that  it  has  undertaken  to  be  integrated 
and  to  be  guided  by  milestones  and  measure  its  progress,  and  also 
from  the  standpoint  of  having  a  leader  to  make  sure  that  there 
would  be  complete  integration  of  the  various  initiatives  to  guide  the 
overall  effort. 

There  are  other  factors  related  to  the  variations  in  the  State 
agencies.  They  do,  in  fact,  have  contracts  in  place  that  are  intended 
to  assess  those,  as  you  have  mentioned,  and  those  types  of  initia- 
tives are  all  the  ones  that  we  believe  have  to  be  guided  and  driven 
by  an  overall  integrated  plan  that  has  a  well-defined  approach  to 
bringing  together  the  specific  initiatives,  to  being  able  to  look  at  all 
of  the  findings  and  the  assessments  that  are  being  made,  and  to 
develop  and  implement  solutions  as  a  result  of  what  their  assess- 
ments have  determined. 

Mr.  Clay.  Well,  can  you  identify  for  us  the  entity  or  entities 
within  HHS  that  will  be  responsible  for  coordinating  and  imple- 
menting its  privacy  initiatives?  Who  will  promulgate  the  regula- 
tions and  oversight  activities  for  privacy  within  the  network?  Is 
this  entity  effectively  staffed  and  capable  of  managing  its  respon- 
sibilities? 

Ms.  Melvin.  One  of  the  key  areas  or  pieces  of  information  that 
we  believe  is  missing  is  the  identification  of  the  critical  entity  that 
would  be  responsible  for  bringing  together  all  of  the  initiatives,  as 
you  have  noted,  so  we  cannot  identify  at  this  time  who  that  would 
be.  We  do  understand,  through  our  recent  discussions  with  Dr. 
Kolodner,  that  the  agency  is  taking  steps  through  the  National  Co- 
ordinator's Office  to  implement  a  framework;  however,  how  that 
framework  will  be  put  in  place  and  who  will  actually  guide  and 
lead  their  efforts  to  accomplish  that  has  not  been  specified  and  we 
have  no  information  that  we  could  share  regarding  its  

Mr.  Clay.  They  don't  know  yet?  I  mean,  you  gave  them  that  re- 
port in  January  of  this  year. 
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Ms.  Melvin.  Yes. 

Mr.  Clay.  And  they  have  not  moved  on  the  recommendations  is 
what  you  are  telHng  me? 

Ms.  Melvin.  As  of  last  week  when  we  spoke  with  Dr.  Kolodner 
their  efforts  were  in  the  early  stages  and  there  was  no  specific  in- 
formation provided  to  us  relative  to  who  the  entity  would  be  that 
would  lead  all  of  those  efforts. 

I  should  note  that  when  our  report  was  issued  the  National  Coor- 
dinator's Office  did  have  a  difference  relative  to  how  they  should 
proceed  with  a  coordinated  approach,  so  it  has  only  been  in  recent 
times  that  we  have  now,  I  think,  reached  more  agreement  with 
them  relative  to  the  importance  of  having  a  plan  in  place,  an  ap- 
proach that  would,  in  fact,  include  and  identify  a  specific  leader  for 
integrating  or  overseeing  the  integration  of  the  various  initiatives. 

Mr.  Clay.  Thank  you  for  that.  And  this  is  a  question  for  either 
one  of  you.  One  of  HIPAA's  limitations  is  that  it  does  not  cover  all 
entities  that  possess  or  utilize  personal  health  information.  Some 
life  insurers  and  research  entities  that  are  not  involved  with  the 
treatment  of  patients  fall  outside  the  rules.  Have  you  examined  the 
practical  impact  of  not  covering  some  entities  that  have  access  to 
personal  health  information?  Is  this  a  significant  problem,  in  your 
view,  Ms.  Koontz? 

Ms.  Koontz.  I  think  that  is  a  significant  issue  that  deserves 
more  study,  and  we  would  like  to  see  HHS  consider  that  as  it 
moves  forward  in  developing  privacy  policies,  practices,  and  stand- 
ards. It  is  true  that  HIPAA  covers  health  plans,  health  providers 
who  transmit  electronic  information  in  support  of  transactions,  and 
health  information  clearinghouses.  The  entities  that  you  mentioned 
are  outside  the  coverage  of  HIPAA.  I  think  that,  naturally,  as  we 
move  to  a  national  health  information  network  in  which  it  will  be 
much  easier,  and  it  is  actually  intended  to  make  information  flow 
more  easily,  this  is  something  that  we  should  pay  a  lot  more  atten- 
tion to.  Again,  I  do  hope  that  HHS  includes  this  in  their  delibera- 
tions as  they  move  forward. 

Mr.  Clay.  OK.  Thank  you  for  your  response. 

Let  me  now  turn  to  my  ranking  member,  Mr.  Turner. 

You  may  proceed. 

Mr.  Turner.  Thank  you. 

Thank  you  for  the  information  you  have  provided  to  us  in  your 
testimony  today.  This  is  an  important  issue  on  pretty  much  three 
fronts.  We  have  our  desire  to  find  cost  savings  and  reduce  the  spi- 
raling  increases  in  health  care  costs.  The  second  issue  is  quality  of 
health  care.  What  can  we  do  to  increase  the  quality  of  health  care? 
And  the  third  issue  is:  how  do  you  balance  privacy? 

So  many  times  when  we  make  an  advance  in  one  area  privacy 
either  takes  a  hit,  or  when  we  think  we  are  taking  an  advance  in 
privacy  others  take  a  hit. 

I  will  tell  you  one  funny  story.  Two  years  ago  when  I  was  in 
Washington  I  broke  my  sunglasses.  I  called  my  wife  at  home  and 
said,  can  you  go  and  get  me  some  new  sunglasses.  I  have  a  pre- 
scription. She  goes  to  the  eyeglass  place  and  they  wouldn't  let  her 
buy  eyeglasses  because  they  said  under  HIPAA  there  is  a  fear  that 
she  would  discover  what  my  prescription  is.  You  know,  that  is  not 
exactly  something  that  I  have  a  concern  about  having  a  privacy  ex- 
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pectation.  But,  nevertheless,  that  was  the  apphcation.  We  had  to 
wait  until  I  returned  back  home  until  I  could  get  them. 

So  this  is  a  fine  balance  of  what  things  do  we  have  an  expecta- 
tion of  privacy,  and  what  things  are  important  for  efficiency,  and 
what  things  do  we  have  for  cost  savings,  and  many  times  there  are 
unintended  consequences — you  know,  I  can't  get  my  sunglasses  un- 
less I  am  back  home — that  are  overlooked.  What  confidence  do  you 
have,  in  describing  the  process  that  we  are  undertaking,  that  the 
Federal  Government  is  going  to  be  able  to  have  a  better  record  in 
ascertaining  that  yes,  we  really  need  to  protect  people's  privacy, 
yes,  we  need  to  find  cost  sa\dngs,  and  we  need  to  fmd  efficiencies 
to  increase  quality  of  health  care?  What  are  your  thoughts? 

Ms.  Mel\t:n.  Again,  I  think  the  confidence  will  gi'ow  from  the  ex- 
tent to  which  there  is  transparency  in  the  way  that  the  health  in- 
formation network  is  put  together  and  the  way  that  privacy  is  con- 
veyed to  and  understood  by  the  public. 

Our  work  has  emphasized  the  need  for  the  National  Coordina- 
tor's Office  and  HHS  to  spend  significant  time  in  making  sure  that 
there  is  outreach  and  consensus  to  bring  together  a  better  under- 
standing among  all  participants  that  would  be  involved  in  the  over- 
all health  initiative. 

You  are  right,  there  is  an  extremely  fine  balance  between  the 
privacy  issues  and  the  need  to  ensure  quality  care,  the  need  to  try 
to  have  improvements  in  the  way  that  information  is  made  avail- 
able about  care,  and  all  of  that  comes  through,  again,  ha\dng  a  de- 
fined plan  for  how  they  mil  do  that,  as  well  as  having  necessary 
outreach,  necessary  information  made  available  to  educate  the  pub- 
lic on  the  need  for  and  the  use  of  electronic  health  records  so  that 
certainly  at  some  point  hopefully  there  would  be  buy-in,  more  buy- 
in  to  make  this  a  more  successful  effort. 

So  I  think  overall  success  will  depend  on  how  well  they  can  real- 
ly communicate  and  convey  the  need  for  and  ultimately  to  imple- 
ment a  system  that  does  balance  privacy  and  security  with  the 
quality  of  the  care  that  is  being  provided. 

Mr.  Turner.  One  of  the  issues  that  has  been  identified  is  the 
cost  savings  that  we  expect  from  going  to  electronic  recordkeeping, 
and  the  implementation  of  technology  on  this  issue  is  that  we  don't 
really  know  what  our  cost  savings  would  be,  and  we  are  not  captur- 
ing in  a  veiy  effective  w^ay  how  this  might  advance  us  in  cost.  Do 
you  agi'ee  with  that?  And  also,  do  you  have  thoughts  as  to  what 
we  could  be  doing  better  to  understand  really  what  will  we  be  able 
to  effect  in  cost  sa\'ings  in  this? 

Ms.  Mel\t:n.  I  think  clearly  the  cost  savings  is  an  issue.  The 
overall  cost  of  the  initiative  is  an  issue  that  would  have  to  be  de- 
fined based  on  what  technology  is  ultimately  determined  to  be 
needed  and  put  in  place  for  this,  again  largely  driven  by  the  pri- 
vacy and  policy  security  implications  that  would  drive  the  tech- 
nology that  would  need  to  be  put  in  place. 

Then  ultimately,  as  a  part  of  the  overall  strategy  and  the  defined 
approach  that  the  agency  would  need  to  have,  a  key  part  of  that 
is  defining  what  the  costs  are,  what  the  outcomes  that  result  ft'om 
that  are  in  the  way  of  benefits  and  savings.  I  think  all  of  those  as- 
pects collectively  are  going  to  be  important  in  defining  what  the  ac- 
tual cost  is  ultimately  for  the  overall  initiative. 
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Mr.  Turner.  Thank  you,  Mr.  Chairman. 
Mr.  Clay.  Thank  you,  Mr.  Turner. 

We  have  been  joined  by  our  colleague  from  New  Hampshire,  Mr. 
Hodes. 

I  understand  you  have  an  opening  statement.  You  may  proceed 
with  that  and  then  go  into  your  questions. 

Mr.  Hodes.  Thank  you,  Mr.  Chairman. 

Mr.  Clay.  You  have  ample  time.  You  are  welcome. 

Mr.  Hodes.  This  is  a  very  important  hearing.  The  privacy  con- 
cerns related  to  health  information  technology  in  the  digital  age 
take  on  an  increasingly  important  role  as  we  examine  a  health  care 
system  which  many  people  feel  is  a  system  which  is  dysfunctional 
and  not  operating  as  it  should,  and  many  are  looking  to  electronic 
medical  records  technology  as  a  key  component  to  making  our 
health  care  system  a  better-functioning  system. 

It  seems  that  it  is  fairly  obvious,  at  least  to  me,  that  there  are 
great  benefits  in  increased  coordination  of  care  from  effective  and 
appropriately  constructed  medical  records  technology  systems,  be- 
cause instead  of  having  people  carrjang  around  paper  records  and 
sacks  of  pills  from  one  doctor  to  another  and  having  the  second  doc- 
tor trying  to  figure  out  what  it  is  that  patient  is  on,  we  can  quickly 
and  easily,  with  medical  records  technology,  determine  what  care 
that  patient  has  had. 

On  the  other  hand,  medical  records  technology  presents  great 
risks  to  patient  security  and  private  information.  We  have  recently 
seen  in  the  Veterans  Administration,  which  frankly  is  in  the  fore- 
front of  developing  electronic  medical  records  technology,  when  a 
single  laptop  is  lost  there  is  enormous  amounts  of  personal  data 
that  is  compromised.  So  coming  up  with  the  right  construct  and  the 
right  system  is  clearly  very  important,  and  it  is,  I  think,  an  urgent 
matter  for  us  because  there  are  a  number  of  initiatives,  both  in  the 
private  sector  and  in  Government,  that  are  taking  us  down  the 
road,  but  it  sounds  from  your  testimony  and  the  report  that  there 
is  still  a  very,  very  long  way  to  go  in  coming  up  with  an  appro- 
priate national  system. 

[The  prepared  statement  of  Hon.  Paul  W.  Hodes  follows:] 
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Congressman  Paul  Hodes 
Opening  Statement 
Information  Policy,  Census,  and  National  Archives  Subcommittee 
Oversight  and  Government  Reform  Committee 
Tuesday,  June  19,  2007 
2154  Raybum  HOB  -  2:00  P.M. 
"Protecting  Patient  Privacy  in  Healthcare  Information  Systems" 

Thank  you  Chairman  Clay  for  holding  this  important  hearing  today  on  the 
privacy  concerns  related  to  health  information  technology.  We  live  in  a 
digital  age.  Increasingly,  our  medical  records  are  no  longer  file  folders  on 
the  walls  of  our  doctors'  offices,  but  bytes  of  information  on  hard  drives  and 
servers.  Advances  in  technology  and  in  electronic  medical  records  make  it 
easier  for  doctors  to  consult  with  other  doctors  and  specialists,  and  allow 
insurance  companies  to  efficiently  communicate  with  providers.  Health  IT 
helps  us  determine  the  efficacy  and  efficiency  of  medical  treatment,  and 
saves  lives  by  reducing  medical  errors. 

With  all  the  clear  benefits  that  Health  IT  provides  us,  we  need  to  make  sure 
that  personal  health  information  is  kept  safe  and  secure.  Careless  practices 
and  behaviors  can  lead  to  catastrophic  results.  When  a  Department  of 
Veterans'  Affairs  employees  lost  one  hard  drive  and  one  laptop,  millions  of 
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veterans'  personal  infonnation  was  compromised.  Losing  a  laptop  is  a  lot 
easier  than  losing  millions  of  file  folders. 

We  need  strong  and  clear  laws  to  address  the  new  vulnerabilities  in  health 
care  privacy.  HIPAA  was  enacted  to  address  some  of  these  digital  privacy 
weaknesses.  But,  eleven  years  and  many  technological  advances  later,  we 
need  to  revisit  how  health  information  privacy  can  be  strengthened  and 
secured. 

It  is  imperative  that  we  determine  and  implement  the  best  practices  to 
protect  personal  health  information,  both  within  the  government  and 
throughout  the  private  sector.  We  need  clear  standards  and  robust  laws  to 
ensure  that  all  those  who  handle  our  medical  infonnation  do  so  with  strong 
privacy  and  security  safeguards  in  place. 

I  look  forward  to  hearing  from  the  panelists  today  on  their  recommendations 
to  help  us  reap  the  benefits  of  Health  IT  in  a  way  that  also  protects  our 
privacy. 
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Mr.  HODES.  One  question,  Ms.  Melvin,  that  I  had  raised  by  your 
testimony!  that  I  would  just  hke  you  to  clarify  for  me,  if  you  could, 
would  be^and  I  may  not  have  all  the  terms  right — but  you  men- 
tioned that  the  National  Coordinator's  Office  at  HHS,  I  believe,  had 
a  difference  about  a  national  coordinated  approach  when  your  re- 
port was  initially  sent  over? 

Ms.  Melvin.  We  had  originally  recommended  that  they  develop 
a  defined  approach  that  would,  in  fact,  allow  them  to  integrate  the 
various  initiatives,  that  would  establish  milestones  and  timeframes 
for  the  completion  of  initiatives,  obviously  considering  that  there 
were  multiple  activities  going  on,  and  that  would,  in  fact,  designate 
a  leader,  identify  a  leader  who  would  lead  the  overall  coordination, 
an  entity  that  would  lead  the  overall  coordination  of  all  of  the  var- 
ious initiatives  being  put  in  place. 

I  believe  that  in  this  case  in  their  comments  HHS  essentially  be- 
lieved that  they  did  have  a  comprehensive  approach.  We  had  a  dif- 
ference relative  to  the  construct  of  that  approach  and  whether,  in 
fact,  it  contained  all  of  the  necessary  or  recognized  all  of  the  nec- 
essary components  in  the  way  of  having  a  designated  leader,  in  the 
way  of  having  established  milestones,  and  potentially  measures  for 
being  able  to  really  gauge  progress  and  to  guide  the  overall  effort. 

Mr.  HODES.  And  I  gather  there  were  some  discussions  that  took 
place? 

Ms.  Melvin.  We  have  subsequently  met  with  Dr.  Kolodner,  actu- 
ally within  the  last  week.  We  have  talked  more  about  what  our 
concerns  were  relative  to  the  lack  of  such  a  defined  approach,  and 
in  talking  with  him  and  through  information  that  we  have  seen 
since  our  discussions,  there  is  an  indication  that  he  is  in  agreement 
with  the  need  for  having  an  approach,  some  type  of  road  map  that 
would,  in  fact,  provide  more  detail  than  defined  milestones  for  inte- 
grating the  various  initiatives  that  are  underway. 

Mr.  HoDES.  There  is  no  disagreement  between  you  and  Dr. 
Kolodner  that  the  coordinator  of  any  national  health  information 
technology  system  would  be  situated  at  HHS,  is  there? 

Ms.  Melvin.  We  have  not  talked  specifically  about  what  entity 
would  be  the  leader  to  integrate  this.  Our  discussions  were  at  a 
level  relative  to  the  importance,  the  significance  overall  of  develop- 
ing an  approach.  We  have  not  described  what  that  approach  would 
be.  We  do  feel  it  is  important,  however,  that  approach  does,  in  fact, 
define  those  critical  elements  relative  to  timeframes  and  mile- 
stones, measures  of  performance,  and  also  in  terms  of  actually 
identifying  the  entity  that  would  lead  it,  but  we  have  not  talked 
about  specifically  who  that  entity  would  be. 

Mr.  HODES.  You  are  just  trying  to  get  to  square  one  with  HHS 
and  have  them  recognize  that  there  needs  to  be  a  coordinated  ap- 
proach with  time  lines  and  benchmarks  and  setting  out  a  plan  to 
put  together  the  initiatives  that  have  already  been  begun  into  some 
comprehensive  plan  that  we  can  all  look  at  and  then  talk  about? 

Ms.  Melvin.  That  is  absolutely  correct,  sir. 

Mr.  HoDES.  I  am  just  about  finished,  Mr.  Chairman. 

When  you  say  that  Dr.  Kolodner  has  indicated  his  agreement,  is 
that  verbally?  Is  that  in  writing?  How  has  that  agreement  been  in- 
dicated? 
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Ms.  Melvin.  Our  discussions  have  been  held  through  a  meeting 
with  Dr.  Kolodner  relative  to  what  actions  they  were  taking,  but, 
as  I  stated  earlier,  we  have  not  discussed  the  specifics  of  what  that 
planned  approach  would  look  like  ultimately.  It  is  our  hope,  and  we 
do  view,  you  know,  the  fact  that  at  this  point  he  does  agree  with 
the  need  for  that  as  very  promising,  but,  as  our  statement  indi- 
cates, it  is  a  very  difficult  task.  It  is  a  long  road.  It  does  involve 
a  lot  of  initiatives,  and  it  will  take  sustained  and  committed  effort 
on  HHS'  part  to  make  sure  that  happens. 

Mr.  HODES.  What  is  your  timeframe  for  getting  some  sort  of  con- 
crete response  beyond  the  verbal  discussions  you  have  had  from  Dr. 
Kolodner  and  HHS  that  would  clearly  indicate,  something  we  could 
look  at,  that  says  HHS  agrees  that  we  are  going  down  this  road 
and  here  is  how  we  are  going  to  get  there?  Are  we  talking  a  week? 
A  month?  Two  months? 

Ms.  Melvin.  We  have  not  specified  a  specific  timeframe.  Obvi- 
ously, based  on  our  recommendation,  we  do  feel  it  is  very  impor- 
tant that  this  effort  be  undertaken  urgently.  It  is  very  critical  from 
the  standpoint  of  the  many  initiatives  that  HHS  and  the  National 
Coordinator's  Office  does  have  underway  that  lead  to  the  develop- 
ment of  technology,  the  significant  point  being  that  you  want  secu- 
rity and  privacy  policies  to  be  in  place  to  really  guide  and  be  a  fac- 
tor in  determining  what  technology  is  there.  So  it  is  an  urgent  ef- 
fort, but  not  one  that  we  put  a  definite  timeframe  on  for  seeing 
that  it  happens. 

Mr.  Hodes.  Thank  you  very  much. 

Thank  you,  Mr.  Chairman. 

Mr.  Clay.  Thank  you,  Mr.  Hodes,  for  that  line  of  questioning. 

This  question  is  for  either/or.  I  would  like  to  hear  your  thoughts 
on  HHS'  enforcement  policies,  practices,  and  procedures.  There  has 
been  significant  criticism  of  the  agency's  enforcement  of  HIPAA 
and  lack  of  civil  penalties  enforced  on  identified  violations.  Are  the 
enforcement  activities  of  HHS  being  carried  out  in  accordance  with 
the  statute  and  the  legislation  and  regulations?  Are  the  current 
regulations  adequate  to  ensure  that  violating  entities  are  being 
sanctioned  appropriately? 

Ms.  KOONTZ.  I  have  to  say,  first  of  all,  that  we  have  not  studied 
HHS'  enforcement  actions;  however,  I  think  it  has  been  widely  re- 
ported that  there  have  been  few  enforcement  actions  on  their  part. 

The  way  HIPAA  is  set  up  right  now  is  that  if  an  individual  has 
a  complaint  they  can  go  to  HHS,  the  Office  of  Civil  Rights,  and 
complain  about  privacy  violations.  I  think  that  this,  again,  is  an- 
other issue  for  us  moving  forward.  Under  HIPAA,  for  example, 
there  is  no  individual  right  of  action.  If  someone  isn't  satisfied  with 
what  happens  at  HHS,  they  cannot  go  to  the  courts  for  resolution. 
I  think  this  is  an  issue  that,  you  know,  we  will  need  to  look  at  over 
time,  but  we  haven't  studied  it  in  depth. 

Mr.  Clay.  One  IT-specific  recommendation  offered  by  the  Na- 
tional Council  of  Vital  Health  Statistics  was  for  HHS  to  support  re- 
search and  development  of  contextual  access  criteria  that  is  appro- 
priate for  the  dissemination  and  sharing  of  electronic  health  infor- 
mation. Do  you  know  whether  HHS  is  addressing  this  issue  and, 
if  not,  why  not?  And  does  GAO  concur  with  the  findings  and  rec- 
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ommendations  of  the  National  Committee  on  Vital  Health  Statis- 
tics? 

Ms.  KOONTZ.  First  of  all,  in  terms  of  the  contextual  information, 
I  think  that  is  quite  an  exciting  idea,  because  if  you  look  at  paper 
records  right  now,  if  you  have  to  disclose  a  paper  record  I  think 
that  the  default  is  to  perhaps  disclose  the  whole  piece  of  paper.  The 
idea  of  this  contextual  access  would  be  that  when  you  disclosed  in- 
formation you  would  use  technology  in  such  a  way  that  you  could 
disclose  only  the  information  that  was  actually  needed,  so  it  would 
be  a  way  to  really  leverage  technology  to  increase  privacy  for  pa- 
tients and  consumers.  So  the  National  Committee  on  Vital  and 
Health  Statistics  did  recommend  that  HHS  look  at  this  more  fully 
in  the  process,  and  we  support  that. 

I  think  one  of  the  things  that,  as  they  move  forward  on  a  com- 
prehensive strategy  for  addressing  privacy,  they  need  to  take  into 
consideration  the  results  of  all  these  different  contracts  and  initia- 
tives that  they  have  going  on,  which  seem  to  have  a  lot  of  merit. 
They  need  to  take  into  consideration  the  recommendations  of 
NVCHS,  and  they  need  to  take  into  consideration  some  of  the  chal- 
lenges that  I  think  we  raised  in  our  report. 

Mr.  Clay.  Thank  you  for  that  response. 

When  multiple  States  with  conflicting  laws  have  personal  health 
information  concerning  the  same  patient,  which  State's  privacy 
standard  will  apply,  and  under  what  circumstances?  How  can  enti- 
ties in  one  State  appropriately  manage  patient  data  within  their 
electronic  patient  records  if  they  are  unaware  of  applicable  restric- 
tions in  another  State? 

Ms.  KooNTZ.  Well,  the  issue  about  HIPAA  is  that  HIPAA  is 
meant  to  be  a  floor  in  terms  of  privacy  protection,  so  that  means 
it  does  not  preempt  a  State  law  that  provides  greater  privacy  pro- 
tections than  the  Federal  law.  But  you  are  right:  what  it  leads  to 
is  very  much  a  patchwork  of  different  kinds  of  laws  in  varying 
States,  and  when  you  go  to  electronic  health  records  and  you  go  to 
a  national  health  information  network,  again,  the  information  is  to 
move.  It  can  move  much  more  freely  than  it  does  now  in  a  paper 
environment. 

One  of  the  challenges,  when  we  were  doing  our  study,  that  many 
organizations  talked  to  us  about  is  operationalizing  these  various 
requirements  and  being  able  to  navigate  in  an  environment  where 
information  is  created  in  one  State,  it  is  sent  to  another,  it  is  sent 
yet  to  another,  and  how  to  really  navigate  in  that  kind  of  environ- 
ment has  caused  a  complexity  which  may  indicate  some  need 
maybe  for  greater  guidance  in  terms  of  how  to  navigate  this.  And 
some  people  have  suggested,  of  course,  that  there  be  some  kind  of 
national  standard  for  privacy  that  is  consistent  across  the  States. 
We  haven't  studied  that  further,  but  that  has  been  an  issue  that 
has  often  been  raised. 

Mr.  Clay.  Good.  Thank  you  very  much. 

Mr.  Turner. 

Mr.  Turner.  Thank  you,  Mr.  Chairman. 

We  want  to  note  that  Government  Health  IT  reported  on  June 
15,  2007,  that  Dr.  Kolodner,  National  Coordinator  of  Health  Infor- 
mation and  Technology,  has  revealed  that  his  office  will  propose  a 
draft  framework  for  privacy  policy  later  this  year.  Kolodner  said  it 
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will  reference  other  privacy  policy  documents  from  organizations 
such  as  Connecting  for  Health,  the  National  Committee  on  Vital 
and  Health  Statistics,  and  the  Organization  for  Economic  Coopera- 
tion and  Development.  I  look  forward  to  seeing  that  so  we  can  all 
have  an  opportunity  to  review  it  and  determine  its  effectiveness. 

I  am  going  to  ask  if  you  could  talk  for  a  moment — and  you  may 
not  be  able  to — but  the  VA's  experience  during  Katrina,  we  have 
all  heard  news  reports  about  how  the  VA  was  able  to  transfer  large 
numbers  of  patients'  records  far  more  quickly  than  private  hos- 
pitals. Are  you  familiar  with  the  VA's  experience  and  their  system? 
Could  you  comment  on  that? 

Ms.  Melvin.  I  am  not  familiar  with  that  particular  experience, 
but  what  I  can  tell  you  is  that  VA  does  have  a  comprehensive  lon- 
gitudinal electronic  health  record  for  its  patients,  which  would  ex- 
plain its  ability  to  make  information  available  for  those  people  who 
were  affected  by  Hurricane  Katrina.  Its  system  is  set  up  so  that  it 
contains  a  complete  record  of  each  patient  that  is  captured  within 
its  system,  so  that  would  explain  its  ability  to  perhaps  have  records 
available  more  readily  certainly  than  other  entities  that  do  not 
have  such  a  capability  at  this  point. 

Mr.  Turner.  Are  you  familiar  with  either  their  experience  of  cost 
savings  or  efficiencies  in  increasing  medical  care  and/or  privacy 
issues  and  policies? 

Ms.  Melvin.  I  don't  have  specific  information  on  their  cost  sav- 
ings. I  can  tell  you,  though,  that  they  have  a  very  impressive  sys- 
tem in  place  that  has  allowed  them  to  achieve  many  improvements 
in  quality  of  care  through  the  clinician's  ability  to  have  ready  ac- 
cess to  information,  through  their  ability  to  actually  use  that  infor- 
mation in  the  health  care  of  patients  at  this  point. 

Mr.  Turner.  Thank  you  very  much. 

Ms.  Melvin.  You  are  very  welcome. 

Mr.  Turner.  Thank  you,  Mr.  Chairman. 

Mr.  Clay.  Thank  you,  Mr.  Turner. 

Mr.  Hodes,  any  more? 

Mr.  HODES.  Just  one  more  briefly. 

Mr.  Clay.  Please  proceed. 

Mr.  Hodes.  Thank  you,  Mr.  Chairman. 

I  would  like  to  folio wup  just  a  little  bit  on  the  question  about 
varying  State  standards,  because  I  note  at  page,  I  think  it  looks 
like  15  of  your  report,  where  you  talk  about  the  challenges  to  ex- 
changing electronic  health  information  and  the  area  of  understand- 
ing and  resolving  legal  and  policy  issues,  and  the  first  bullet  point 
you  talk  about  is  resolving  uncertainties  regarding  the  extent  of 
Federal  privacy  protection,  and  it  leads  me  to  the  question  of  how 
quickly  we  can  go  to  a  national  information  system  with  so  many 
differing  standards  out  there  among  the  States. 

Could  you  tell  us  what  do  you  think  the  benefits  would  be  to  es- 
tablishing a  Federal  standard  in  these  areas,  even  if  it  meant  hypo- 
thetically  preempting  the  States? 

Ms.  KOONTZ.  Well,  it  is  obviously  a  policy  judgment  that  you  are 
probably  in  a  much  better  position  to  make  than  I,  but  

Mr.  HODES.  That  is  why  I  asked  the  question. 

Ms.  KoONTZ.  Fair  enough.  But,  I  mean,  the  obvious  advantage 
here  is  that  we  would  be  trading  off  some,  getting  rid  of  some  com- 
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plexity  in  order  to,  you  know,  if  we  got  some  standardization.  Obvi- 
ously, from  talking  to  a  fairly  large  number  of  entities  out  there 
who  are  involved  in  information  exchange  and  involved  in  provid- 
ing health  care,  it  is  tremendously  confusing,  even  to  the  point  of 
trying  to  decide  what  rules  apply,  what  category  do  they  fit  in,  and 
then  also  how  to  operationalize  all  the  different  kinds  of  require- 
ments, as  well.  So,  I  mean,  I  can  see  on  balance  it  is  on  the  one 
hand  and  on  the  other  hand,  but  there  are  definitely  benefits  to 
standardization,  as  well,  although  there  may  be  States  where  you 
might  end  up  lowering  privacy  protection,  and  I  think  that  is  an 
issue  for  that  locality. 

Mr.  HODES.  OK.  Thank  you  very  much. 

Thank  you,  Mr.  Chairman.  I  yield  back. 

Mr.  Clay.  Thank  you,  Mr.  Hodes. 

The  AHIC,  which  is  a  public/private  working  group  chaired  by 
the  Secretary,  assembled  a  working  group  on  how  to  address  pri- 
vacy and  confidentiality  issues  last  August.  What  findings,  if  any, 
have  been  presented  to  the  Secretary?  Is  AHIC's  work  consistent 
with  GAO's  findings  and  recommendations?  Are  you  familiar  with 
AHIC,  the  American  Health  Information  Community? 

Ms.  Melvin.  Yes,  we  are  familiar  with  that.  As  far  as  their  find- 
ings and  recommendations,  at  this  point  we  are  not  certain  as  to 
exactly  what  they  are  doing.  We  do  know  that  HHS  is  in  the  proc- 
ess of  assessing  the  information  that  they  have  from  them,  and  we 
have  not  compared  that  to  GAO's  recommendations,  as  I  recall. 

Mr.  Clay.  OK. 

Ms.  Melvin.  We  have  not  compared  them  to  GAO's  recommenda- 
tions. 

Mr.  Clay.  All  right.  I  thank  you  for  that. 

Let  me  thank  both  of  you  for  your  answers  today  and  for  being 
witnesses  at  this  hearing.  I  think  it  is  such  an  important  issue,  and 
we  certainly  appreciate  GAO  weighing  in.  Thank  you  both.  This 
panel  is  dismissed. 

I  would  now  like  to  invite  our  second  panel  of  witnesses  to  come 
forward,  please. 

Testifying  today  on  our  second  panel  will  be  Mary  R.  Grealy, 
president  of  the  Healthcare  Leadership  Council.  Welcome  to  you. 

Bryan  Pickard,  president  of  the  American  Health  Information 
Management  Association.  Thank  you  for  being  here. 

Peter  P.  Swire,  the  C.  William  O'Neill  professor  of  law  at  the 
Ohio  State  University's  Moritz  College  of  Law  and  senior  fellow  at 
the  Center  for  American  Progress. 

Welcome  to  all  of  you. 

It  is  the  policy  of  the  committee  to  swear  in  all  witnesses  before 
they  testify.  At  this  time  I  would  like  to  ask  you  all  to  stand  and 
raise  your  right  hands. 

[Witnesses  sworn.] 

Mr.  Clay.  Let  the  record  show  that  all  of  the  witnesses  answered 
in  the  affirmative. 

Each  of  you  will  have  5  minutes  to  make  an  opening  statement. 
Your  complete  written  testimony  will  be  included  in  the  hearing 
record.  The  yellow  light  in  front  of  you  will  indicate  you  have  1 
minute  remaining.  The  red  light  will  indicate  that  your  time  has 
expired. 
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Ms.  Grealy,  we  will  begin  with  you.  You  may  proceed. 

STATEMENTS  OF  MARY  R.  GREALY,  PRESIDENT,  HEALTHCARE 
LEADERSHIP  COUNCIL;  BYRON  PICKARD,  PRESIDENT, 
AMERICAN  HEALTH  INFORMATION  MANAGEMENT  ASSOCIA- 
TION; AND  PETER  SWIRE,  SENIOR  FELLOW,  CENTER  FOR 
AMERICAN  PROGRESS 

STATEMENT  OF  MARY  R.  GREALY 

Ms.  Grealy.  Thank  you,  Mr.  Chairman  and  members  of  the  sub- 
committee. On  behalf  of  the  members  of  the  Healthcare  Leadership 
Council,  I  want  to  thank  you  for  the  opportunity  to  testify  on  this 
extremely  important  subject. 

Certainly  all  Americans  want  to  be  assured,  as  we  move  toward 
a  day  when  virtually  all  clinical  health  information  will  be  ex- 
changed electronically,  that  their  confidentiality  will  be  protected 
and  information  will  be  used  to  provide  health  care  of  the  highest 
quality. 

The  Healthcare  Leadership  Council  is  comprised  of  chief  execu- 
tives of  many  of  the  Nation's  leading  health  care  companies  and  or- 
ganizations representing  all  sectors  of  American  health  care.  Our 
members  are  some  of  the  early  adopters  of  health  information  tech- 
nology. 

Mr.  Chairman,  with  my  time  limitations  there  are  two  key  points 
that  I  would  like  to  make  today.  First,  allow  me  to  comment  on  the 
current  HIPAA  privacy  rule,  a  rule  that  was  developed  through 
careful,  detailed  deliberations  over  a  5-year  period,  and  its  effec- 
tiveness in  the  context  of  electronic  health  information  exchange. 

We  are  concerned  that  the  transition  to  more  widespread  use  of 
electronic  medical  records  will  prompt  a  reactive  call  in  some  quar- 
ters for  additional  burdensome  privacy  regulations.  It  is  important 
to  note  that  the  HIPAA  privacy  rule,  which  is  already  quite  restric- 
tive, was  spurred  by  the  growth  of  electronic  transactions  and  al- 
ready contains  ample  provisions  governing  the  confidentiality  of  in- 
formation, electronic  or  otherwise.  It  is  even  more  important  to  rec- 
ognize that  more-restrictive  rules,  such  as  requiring  providers  and 
payers  to  obtain  prior  consent  for  treatment,  payment,  and  health 
care  operations,  would  delay  and  disrupt  health  care,  particularly 
for  the  most  vulnerable  patients. 

The  fact  is,  Mr.  Chairman,  the  HIPAA  privacy  rule  has  a  suc- 
cessful track  record,  and  that  success  is  being  achieved  in  an  envi- 
ronment in  which  multi-State  electronic  data  exchange  is  already 
occurring. 

Health  care  providers  and  plans  have  spent  significant  resources 
to  comply  with  the  HIPAA  rule.  Before  considering  any  changes, 
we  should  be  certain  that  they  are  absolutely  essential  and  would 
warrant  diverting  finite  resources  from  patient  care  to  additional 
administrative  compliance. 

The  other  point  I  wish  to  make  this  afternoon  is  that,  while  the 
HIPAA  privacy  rule  is  effective  in  protecting  patient  confidential- 
ity, the  development  of  a  multi-State  network  requires  the  creation 
of  a  uniform  Federal  privacy  standard.  While  HIPAA  establishes 
such  a  standard,  it  permits  State  variations  that  are  found  in  thou- 
sands  of  statutes,   regulations,    common   law   principles,  and 
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advisories.  This  patchwork  quilt  creates  confusion  among  those 
who  hold  identifiable  health  information  and  those  who  seek  to  es- 
tablish these  data  exchanges. 

We  believe  strongly  in  a  national  standard  thdt  provides  strong 
privacy  protections  for  every  American  and  facilitates  nationwide 
and  system-wide  electronic  data  exchange  for  the  betterment  of  pa- 
tient care. 

Mr.  Chairman,  Section  6  of  your  bill,  H.R.  4832,  laid  out  a  proc- 
ess to  help  achieve  that  national  standard,  and  we  hope  that  it  will 
find  its  way  and  be  part  of  any  future  HIT  legislation. 

One  thing  that  helps  us  put  a  face  on  health  care  policy  and  to 
put  it  in  perspective  is  that  these  issues  unavoidably  become  per- 
sonal for  all  of  us.  My  family  currently  has  a  compelling  example 
in  the  person  of  my  88  year  old  father,  who  lives  in  Fort  Lauder- 
dale, FL.  Just  a  few  months  ago,  after  a  brief  hospital  stay  for 
acute  kidney  failure,  he  began  a  regimen  of  dialysis  three  times  a 
week.  At  the  same  time,  he  was  receiving  radiation  treatment  for 
prostate  cancer. 

I  can  tell  you  firsthand  that  the  staffs  in  the  hospital,  the  radi- 
ation center,  the  dialysis  center,  and  the  various  physician  offices 
are  fully  compljdng  with  the  HIPAA  privacy  rules,  oftentimes  mak- 
ing it  difficult  for  me  and  my  five  brothers  and  sisters  to  help  co- 
ordinate his  care.  Be  assured  that  health  professionals  take  the 
rules  very  seriously. 

More  importantly,  however,  I  am  also  experiencing  firsthand  the 
absolutely  critical  need  for  a  unified  electronic  health  record  so  that 
my  Dad's  oncologist,  nephrologist,  internist,  cardiologist,  nutrition- 
ist, radiation  center,  and  dialysis  center  would  all  know  in  real 
time  what  each  is  prescribing  and,  more  importantly,  how  he  is 
doing.  For  example,  sharing  the  results  of  lab  tests,  sharing  the 
prescriptions  that  they  are  ordering. 

An  electronic  health  record  would  have  avoided  my  Dad's  recent 
experience  of  receiving  Procrit  from  his  oncologist  while  he  was  re- 
ceiving a  similar  medication,  Epigen,  at  the  dialysis  center.  Unfor- 
tunately, it  fell  to  us  to  alert  and  notify  those  two  health  providers, 
because  they  were  not  sharing  this  information. 

You  can  see  the  importance  of  having  this  electronic  health 
record.  America's  patients,  not  just  my  Dad,  need  electronic  health 
record,  and  I  applaud  the  efforts  that  you,  Mr.  Chairman,  and  oth- 
ers have  put  toward  achieving  that  goal. 

We  look  forward  to  working  with  you,  finding  the  appropriate 
balance  between  privacy  and  the  need  for  sharing  this  important 
information  as  we  move  forward  in  this  important  area. 

Thank  you. 

[The  prepared  statement  of  Ms.  Grealy  follows:] 
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I  want  to  thank  you  on  behalf  of  the  members  of  the  Healthcare  Leadership  Council 
(HLC)  for  the  opportunity  to  testify  before  the  House  Committee  on  Oversight  and 
Government  Reform  Subcommittee  on  Information  Policy,  Census,  and  National 
Archives  on  the  Health  Insurance  Portability  and  Accountability  Act  of  1996's  (HIPAA) 
privacy  rule  and  how  it  will  protect  patient  privacy  in  an  environment  of  electronic  clinical 
health  information  exchange. 

HLC  is  a  not-for-profit  membership  organization  comprised  of  chief  executives  of  the 
nation's  leading  health  care  companies  and  organizations,  with  membership  that 
Includes  hospitals,  health  plans,  pharmaceutical  companies,  medical  device 
manufacturers,  biotech  firms,  health  product  distributors,  pharmacies  and  academic 
medical  centers.  Fostering  innovation  and  constantly  improving  the  affordabiltty  and 
quality  of  American  health  care  are  all  goals  uniting  HLC. 

The  Healthcare  Leadership  Council  supports  the  Administration's  goal  that  most 
Americans  have  electronic  health  records  by  2014.  And  we  appreciate  the  bi-partisan 
commitment  by  Congress  to  encourage  widespread  adoption  of  health  information 
technology. 

It  is  important  to  note  that  Health  Information  Technology  is  not  just  limited  to  electronic 
medical  records;  it  also  includes  Integrated  medication  delivery  systems  that  reduce 
bedside  intravenous  medication  delivery  errors  and  the  resultant  hann  to  the  patient. 
These  state-of-the-art  systems  enable  communication  between  doctors,  patients,  and 
phamriacies  to  ensure  that  the  proper  patient  Is  receiving  the  proper  drug  in  the  proper 
dosage  after  the  proper  precautions  were  taken. 

The  Healthcare  Leadership  Council  has  such  a  strong  interest  In  this  issue  because 
we've  seen  firsthand  what  widespread  adoption  of  HIT  can  mean  for  patients  and  health 
care  providers.  Several  HLC  member  organizations  have  been  among  the  earliest 
adopters  and  pioneers  of  health  information  technology.  We  believe  HIT  has  the  power 
to  transform  our  health  care  system  and  provide  increased  efficiencies  in  delivering 
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health  care;  contribute  to  greater  patient  safety  and  better  patient  care;  and  achieve 
clinical  and  business  process  improvements. 

In  the  area  of  standards,  several  public  and  private  sector  initiatives  are  making  great 
strides  to  identify  or  develop  health  information  interoperability  standards  that  will 
enable  disparate  systems  to  "speak  the  same  language."  And  the  work  of  the 
Certification  Commission  for  Health  Information  Technology  will  complement  these 
efforts  by  certifying  that  products  are  compliant  with  criteria  for  functionality, 
interoperability  and  security.  This  will  help  reduce  provider  investment  risks  and 
improve  user  satisfaction. 

As  important  as  it  is  to  applaud  the  progress  that  has  been  made,  it  is  necessary  to 
focus  on  the  barriers  that  stand  in  the  way  of  widespread  HIT  implementation.  We  have 
some  significant  challenges  ahead  of  us,  especially  with  patient  privacy  regulations  and 
standards. 

Given  the  time  that  has  elapsed  since  development  of  the  HIPAA  privacy  rule,  I  think  it 
would  be  useful  to  revisit  the  deliberations  about  confidentiality  during  development  of 
the  rule.  Those  intensive,  comprehensive  deliberations  over  a  five-year  period  carefully 
weighed  the  competing  interests  in  our  extraordinarily  complicated  health  care  system. 
They  included  both  a  Democrat  and  Republican  Administration  and  thus  experts  from 
both  political  parties.  The  result  of  these  deliberations  we  believe  to  be  an  effective 
privacy  rule. 

For  more  than  ten  years,  HLC  has  chaired  the  "Confidentiality  CoaHtion,"^  a  broad- 
based  group  of  organizations  that  support  nationally  uniform  privacy  standards. 
During  Congressional  enactment  of  the  (HIPAA)  statute  and  regulatory  development  of 
the  HIPAA  Privacy  Rule,  the  Confidentiality  Coalition  played  a  leadership  rde,  working 
with  members  of  Congress  and  the  administration  to  advocate  for  a  wori^able  privacy 

'  The  Confidentiality  Coaiition  includes  over  100  physician  specialty  and  subspecialty  groups,  nurses, 
pharmacists,  employers,  hospitals,  nursing  homes,  biotechnology  researchers,  health  plans, 
pharmaceutical  benefit  management  and  pharmaceutical  companies. 
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rule.  Today,  the  Coalition  continues  to  help  educate  members  of  Congress  about  the 
protections  afforded  in  the  Privacy  Rule  to  avoid  conflicting  or  duplicate  legislation. 

During  deliberations  on  the  Privacy  Rule,  we  sought  a  rule  that  would  strike  the 
appropriate  balance  between  protecting  the  sanctity  of  a  patient's  medical  Information 
privacy  while,  at  the  same  time,  ensuring  that  necessary  information  Is  available  for 
providing  quality  health  care  and  conducting  vital  medical  research.  We  advocated  for  a 
rule  with  effective  conffdentiality  safeguards  that  would  not  burden  providers  and 
patients  with  unnecessary  papenwori^  or  delays  in  treatment.  We  believe  that  the 
Privacy  Rule  to  a  great  extent  achieved  this  balance  and  has  Increased  consumers' 
confidence  in  the  privacy  of  their  medical  records.  We  thus  are  especially  interested  in 
how  these  successes  will  affect  efforts  to  achieve  interoperable  health  information 
exchange,  and  how  flexibly  the  rule  works  for  a  Rilly,  or  even  partially,  electronic  health 
care  system. 

Covered  entities  take  compliance  with  the  Privacy  Rule  very  seriously.  Health  care 
providers,  payers  and  other  covered  entities  as  well  as  their  business  associates  have 
implemented  comprehensive  training  and  compliance  plans  to  adhere  to  the  Privacy 
Rule.  Under  the  Privacy  Rule,  disclosing  identifiable  health  information  for  purposes 
other  than  carefully  defined,  appropriate  health-care  activities  is  prohibited  unless  the 
patient  grants  specific,  prior  written  authorization.  The  statute  canies  strong  civil  and 
criminal  penalties  for  non-compliance. 

Some  have  suggested  that  enforcement  and  penalties  for  violations  of  the  HIPAA  rules 
are  not  adequate.  However,  in  evaluating  HIPAA  compliance  and  enforcement,  it  is 
important  to  note  that  the  HIPAA  Administrative  Simplification  Enforcement  Final  Rule 
was  only  recently  promulgated  on  Febmary  16,  2006.  The  Final  Rule  adopts  the 
complete  rules  for  enforcing  ail  of  the  Administrative  Simplification  provisions  of  the 
Health  Insurance  Portability  and  Accountability  Act  including  the  privacy,  security, 
transactions  and  code  sets,  and  identifier  rules.  In  addition,  the  Final  Rule  establishes 
uniform  investigation  and  hearing  procedures  to  make  the  enforcement  process  operate 
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more  efficiently.  Thus,  HHS  has  only  recently  had  the  necessary  tools  to  enforce  the 
rule. 

I  might  also  note  that  the  Office  of  Civil  Rights  (OCR),  charged  with  overseeing  the 
privacy  rule,  has  partnered  with  providers  and  consumers  to  educate  them  on  how  to 
comply  with  the  rule.  OCR  has  found  that  many  alleged  violations  were  really 
misunderstandings  of  the  complex  HIPPA  rule  -  rather  than  intentional  breaches  of  the 
rule's  requirements. 

In  addition,  since  April  of  2005,  covered  entities  must  also  be  in  compliance  with  the 
HIPAA  Security  Rule.  The  Security  Rule  applies  to  electronic  protected  health 
information  that  a  covered  entity  creates,  receives,  maintains,  or  transmits.  The  rule 
requires  covered  entities  to  protect  against  threats  or  hazards  to  the  security  or  integrity 
of  information,  as  well  as  uses  and  disclosures  not  allowed  by  the  privacy  rule. 

Ongoing  dialogue  about  health  information  technology  and  standards  for  the  electronic 
transaction  of  health  care  has  raised  questions  about  the  privacy  and  security  of 
electronic  health  information  in  an  electronic  context.  I  think  It  is  of  the  utmost 
importance  to  note  that  it  was  concern  about  the  impact  on  patient  privacy  of  the  health 
system  widely  adopting  e/ecfran/c  transactions  that  spurred  the  HIPAA  privacy  rule. 
Thus,  during  the  rulemaking  process  for  the  Health  Insurance  Portability  and 
Accountability  Act  (HIPAA)  Privacy  and  Security  rules,  many  of  these  same  questions 
were  discussed,  and  the  result  is  that  the  HIPAA  Privacy  and  Security  rules  include 
ample  provisions  governing  the  confidentiality  of  patient  medical  infomnation,  electronic 
or  otherwise. 

We  are  concerned  that  some  policymakers  may  not  be  aware  of  the  purpose  and  scope 
of  the  HIPAA  privacy  and  security  rules  and  will  advocate  for  additional,  burdensome 
privacy  regulations  for  electronic  health  records.  The  current  HIPAA  regulations  are 
very  restrictive  and  companies  like  our  members  have  taken  a  very  conservative 
compliance  approach  in  their  business  practices.  I  think  many  consumers  will  attest  to 
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this  fact  if  they  have  attempted  to  get  health  care  claims  or  medical  Information  for 
themselves  or  another  person,  such  as  a  parent,  without  a  prior  approved  authorization. 
Some  have  expressed  concerns  about  "hyper-compliance"  with  the  privacy  rule. 

We  understand  that  many  believe  that  the  HIPAA  privacy  mie  must  be  revised  in  light  of 
electronic  transfer  of  data  and  web-based  access  to  personal  health  records,  so  that 
patients  may  trust  that  the  system  will  keep  their  data  private.  We  share  the  belief  that 
patients'  confidence  in  health  infonnation  technology  systems  is  of  the  utmost 
importance  in  order  for  them  to  be  successful.  We  believe  that  it  is  vitally  important  that 
patients  understand  the  protections  contained  in  the  HIPAA  rule,  so  they  can  be 
confident  that  their  records  are  and  will  be  protected. 

We  must  all  do  a  better  job  of  educating  the  public  as  to  how  electronic  health  records 
will  improve  the  quality,  safety  and  efficiency  of  their  health  care  and  that  of  future 
generations.  More  importantly  they  must  know  the  steps  taken  to  keep  their  information 
secure  and  that  it  cannot  be  disclosed  to  their  neighbor,  their  employer,  or  the 
newspaper  without  their  express  written  permission. 

I.  National  Uniform  Standard  for  Privacy 

One  area  of  concem  regarding  the  privacy  rule  is  the  rule's  lack  of  a  national  uniform 
standard  for  privacy.  Though  we  strongly  believe  that  the  HIPAA  privacy  mle  provides  a 
sound  basis  for  protecting  health  infonnation,  progress  toward  electronic  data  exchange 
is  significantly  impeded  by  the  lack  of  a  unifomi  federal  privacy  standard. 

As  an  underpinning  for  our  discussion  today,  we've  attached  a  map  developed  by  the 
Indiana  Network  for  Patient  Care  {Fig.1).  Each  dot  represents  a  patient  seen  at  an 
Indianapolis  hospital  during  a  six-month  period.  While  the  dots  are  stacked  very  deep 
around  Indianapolis  as  you  would  expect,  patients  served  by  the  Indiana  hospitals 
during  this  period  were  also  residents  of  48  of  the  50  states.  Today's  health  care 
providers,  meeting  the  needs  of  a  mobile  society,  serve  patients  from  multiple  and  far- 
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flung  jurisdictions.  Looking  at  this  map  it  is  easy  to  see  why  local  and  regional 
agreements  will  not  be  adequate  to  address  the  myriad  regulations  with  which  providers 
and  others  will  need  to  comply  to  achieve  interoperability  and  why  national  standards, 
for  interoperability  as  well  as  privacy  and  data  security,  are  necessary. 

Although  HIPAA  establishes  a  federal  privacy  standard,  it  pennits  significant  state 
variations  that  we  believe  will  create  serious  impediments  to  interoperable  exchange  of 
health  information,  particularly  across  state  lines.  This  is  true  not  only  with  respect  to  the 
technical  standards  employed  through  information  technology,  but  also  with  respect  to 
the  privacy  standards  that  govern  infomnation  disclosures. 

In  addition,  since  the  Privacy  Rule  does  not  supersede  state  privacy  laws,  providers, 
clearinghouses  and  health  plans  are  required  to  comply  with  the  federal  law  as  well  as 
any  state  privacy  restrictions  that  are  contrary  and  more  stringent.  In  the  context  of 
HIPAA  implementation  this  has  been  extremely  difficult  and  in  the  content  of  broad  and 
widespread  health  information  exchange  it  may  be  nearly  impossible. 

State  health  privacy  protections  vary  widely  and  are  found  in  thousands  of  statutes, 
regulations,  common  law  principles,  and  advisories.  Health  infonnation  privacy 
protections  can  be  found  in  a  state's  health  code  as  well  as  its  laws  and  regulations 
governing  criminal  procedure,  social  welfare,  domestic  relations,  evidence,  public  health, 
revenue  and  taxation,  human  resources,  consumer  affairs,  probate  and  many  others. 
While  Indiana  uses  HIPAA  as  its  state  privacy  law,  virtually  no  other  state's  requirement 
is  identical  to  the  federal  rule.  Within  a  given  state,  privacy  laws  may  actually  conflict, 
adding  to  confusion  among  those  who  hold  identifiable  health  information  and  those 
who  seek  to  set  up  data  exchanges. 

HHS  will  not  provide  a  comprehensive  preemption  analysis  of  these  state  privacy 
protections.  Moreover,  single-state  and  private-sector  efforts  have  been  extremely 
costly,  do  not  utilize  consistent  standards,  and  are  difficult  to  manage  against  the 
constantly  changing  50-state  environment.  HLC  and  the  Confidentiality  Coalition 
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attempted  to  address  this  problem  directly  by  commissioning  a  multi-jurisdiction  study  of 
this  issue  and  quickly  assessed  costs  of  more  than  $1  million  with  $100,000  for  annual 
updates.  Unfortunately  many  organizations,  particularly  smaller  provider  groups,  do  not 
have  such  resources  and  must  navigate  the  sea  of  privacy  regulations  and  laws  on  their 
own. 

Several  projects  at  HHS  are  currently  studying  state  privacy  laws  and  determine  their 
potential  impact  on  health  information  exchange.  In  October  of  2005,  the  Agency  for 
Health  Research  and  Quality  (AHRQ)  awarded  a  contract  to  RTI  International  to  assess 
the  variations  that  exist  at  the  organization  level  with  respect  to  privacy  and  security 
practices  and  policies. 

The  federally  funded  RTI  study  is  looking  at  33  states  and  focusing  on  working  with 
state  organizations  to  determine  what  laws  exist  in  each  state  and  what  organizations 
are  doing  to  streamline  state  statutes  and  regulations  to  make  them  consistent  within 
each  state,  so  that  data  may  be  exchanged  more  easily  within  a  given  state.  But 
looking  at  the  Indiana  chart  referenced  above,  it  is  unfortunate  that  the  RTI  study  did  not 
do  a  thorough  analysis  of  how  state  laws  are  impeding  movement  of  information  across 
state  lines. 

From  the  discussions  of  RTI  study  participants  at  its  March  conference  on  Privacy  & 
Security  Solutions  -  which  convened  the  state  officials  and  project  managers  involved  in 
the  RTI  study  -  it  appears  that  even  within  each  state  many  organizations  are  unable  to 
discern  the  appropriate  statutes  and  regulations.  In  summary,  state  stakeholders  are 
identifying  a  general  misunderstanding  regarding  the  many  potential  intersections  of 
present  state  laws  and  HIPAA,  finding  that  state  laws  do  not  currently  address  or  apply 
sensibly  to  the  proposed  electronic  exchange  of  health  information.  Instead, 
stakeholders  suggest  that  their  legal  departments  seem  simply  to  establish  a  privacy 
policy  with  which  they  are  comfortable,  refusing  to  exchange  data  with  any  but  trusted 
partners.  While  this  is  completely  understandable  in  the  context  of  the  wide  range  of 
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state  laws  and  regulations,  it  bodes  poorly  for  electronic  data  exchange,  especially 
across  state  lines. 

How  can  each  physician's  office,  hospital,  and  clinical  lab  develop  relationships  as  a 
trusted  partner  with  the  thousands  or  more  other  entities  who  could  participate  in  clinical 
data  exchange?  While  organizations  such  as  the  Markle  Foundation  are  working  with 
local  and  regional  health  information  exchanges  to  craft  an  acceptable,  standardized 
trusted-partner  contracts,  this  local  resistance  to  exchanging  information  with  any  but 
trusted  partners  is  seriously  impeding  health  information  exchange.  A  quicker  way  to 
alleviate  the  concern  would  be  to  establish  one  federal  privacy  standard  that  assuaged 
all  entities'  fears  about  who  could  be  trusted. 

Interestingly,  the  exception  may  be  Indiana,  where,  because  HIPAA  essentially  serves 
as  the  state's  health  privacy  law,  the  state  is  proceeding  with  a  state-wide  health 
information  exchange.  In  many  ways,  Indiana  serves  as  a  state  model  for  how  more 
easily  an  electronic  health  information  exchange  could  be  established  with  a  single 
privacy  standard. 

The  RTI  project  is  not  the  only  HHS  sponsored  entity  studying  state  variations  in  privacy. 
In  October  of  2006,  HHS'  Office  of  the  National  Coordinator  for  Heath  Infonnation 
Technology  (ONC)  announced  that  it  had  entered  into  a  one  year,  $1.99  million  dollar 
contract  with  the  National  Governors  Association's  (NGA)  Center  for  Best  Practices  to 
establish  the  State  Alliance  for  e-Health.  The  State  Alliance  will  serve  as  a  forum  in 
which  state-level  consensus-based  solutions  can  be  developed  to  address  key 
challenges  to  interoperable  health  information  technology.  Privacy  and  security  issues 
will  be  addressed  by  the  alliance  along  with  other  state  policy  issues  impeding  health 
information  exchange. 

HLC  is  not  alone  in  calling  for  nationally  uniform  privacy  standards.  The  1 1 -member 
Commission  on  Systemic  Interoperability,  authorized  by  the  Medicare  Prescription  Drug, 
Modernization,  and  Improvement  Act  to  develop  recommendations  on  HIT 


9 


52 


implementation  and  adoption,  recommended  that  Congress  authorize  the  Secretary  of 
HHS  to  develop  a  unifomi  federal  health  information  privacy  standard  for  the  nation, 
based  on  HIPAA  and  preempting  state  privacy  laws,  in  order  to  enable  data  exchange 
interoperability  throughout  the  country. 

While  we  believe  strongly  in  the  need  for  a  national  privacy  standard,  HLC  believes  just 
as  strongly  that  any  regional  or  national  system  designed  to  facilitate  the  sharing  of 
electronic  health  information  must  protect  the  confidentiality  of  patient  infomnation.  It  is 
not  our  intent  in  calling  for  one  national  privacy  standard  to  weaken  privacy  protections 
for  individuals,  but  rather  to  facilitate  nation-  and  system-wide  electronic  interchange  of 
data. 

II.      Patient  Consent  and  Controi 

You  have  asked  us  to  address  the  effectiveness  of  current  laws  and  regulations 
governing  use  and  disclosure  of  information  in  the  context  of  electronic  health 
information  exchange.  At  the  center  of  the  dialogue  about  electronic  health  records  and 
information  is  the  question  of  patient  consent  and  control.  After  lengthy  debate,  the  final 
HIPAA  Privacy  Rule  as  modified  allows  covered  entities  to  use  patients'  medical 
information  without  authorization  for  medical  treatment,  claims  payment  or  health  care 
operations  or  as  otherwise  permitted  or  required^.  For  other  uses,  providers  must 
obtain  a  written  authorization  from  each  patient. 

Requiring  providers  and  payers  to  obtain  prior  consent  to  use  individually  identifiable 
health  information  for  treatment,  payment  and  health  care  operations  was  rejected 
because  of  concerns  that  a  prior  authorization  requirement  would  seriously  delay  and 
disrupt  the  care  of  patients,  particularly  the  most  vulnerable  patients.  For  example, 


"  Under  the  Privacy  Rule  a  covered  entity  is  permitted  to  use  and  disclose  protected  health  information  without 
authorization  for  the  following  purposes  or  situations:  1)  to  the  individual;  2)  for  treatment,  payment  and  health  care 
operations;  3)  for  uses  and  disclosures  with  an  opportunity  to  agree  or  object;  4)  for  uses  and  disclosures  that  occur 
incident  to  an  otherwise  permitted  use  or  disclosure;  5)  for  public  interest  and  benefit  activities;  and  6)  of  a  limited 
data  set  for  purposes  of  research,  public  health  or  health  care  operations. 
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elderly  patients  would  not  be  able  to  send  a  family  designee  to  a  pharmacy  to  pick  up  a 
prescription  without  first  going  to  the  pharmacy  to  sign  consent  fomris;  pharmacies 
would  not  be  able  to  fill  prescriptions  phoned  in  by  physicians  until  the  patient  arrived  to 
give  consent;  and  emergency  medical  personnel  would  be  forced  to  get  consent  forms 
signed  before  treating  patients  -  even  when  contrary  to  best  medical  practice.  These 
concerns  were  not  simply  theoretical;  Maine  enacted  a  law  requiring  prior  consent  to 
use  patient-identifiable  information  for  health  care  purposes.  The  law  was  suspended 
just  1 2  days  after  taking  effect  because  of  the  chaos  that  ensued  in  hospitals  and 
pharmacies. 

The  much-touted  benefits  of  health  IT,  most  importantly  improvement  of  quality  of  care 
through  better  patient  incomes,  will  not  be  realized  if  infomiation  exchange  is 
constrained  by  various  authorization  or  consent  requirements.  Far  worse,  adding  such 
requirements  in  the  context  of  health  information  exchange  will  slow  and  impede 
providers'  current  ability  to  deliver  health  care  sen/ices.  Thus,  in  general,  we  believe 
that  changing  the  rule's  provisions  regarding  consent  and  control  would  be  unnecessary 
and  harmful. 

In  recent  years,  the  advent  of  personal  health  records  (PHRs)  has  triggered  another  set 
of  discussions  about  patient  control  of  their  health  information.  We  agree  that  with 
respect  to  PHRs,  individuals  will  want  to  control  distribution.  We  are  seriously 
concerned  about  the  prospects  of  allowing  consumers  to  control  which  health  care 
providers  may  see  their  medical  records  and  the  portions  of  the  records  that  may  t>e 
shared,  even  after  the  patient  has  entered  the  health  care  system  for  treatment. 
We  caution  against  aHowing  or  expecting  a  fdly  patient-controlled  PHR  to  become  a  de 
facto  electronic  health  record  for  use  in  clinical  settings,  as  physicians  will  never  trust 
that  they  have  accurate  and  complete  information  if  they  know  that  patients  can 
wittihold  pieces  ®f  the  record. 

We  would  suggest  that  while  PHRs  may  be  controlled  by  individuals,  once  their 
Information  reaches  an  EHR,  it  should  be  used  and  disclosed  as  under  HIPAA,  allowing 
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for  information  to  move  within  the  health  care  system,  including  via  electronic  data 
exchange,  as  it  may  under  HIPAA,  which  will  facilitate  optimal  patient  care  and  data 
available  to  improve  health  care  quality. 

If  patients  may  direct  where  infonnation  may  flow  within  the  health  care  system,  it  will 
upset  HIPAA's  careful  calibration,  designed  to  facilitate  providers  having  all  the 
necessary  facts  for  proper  diagnosis  and  treatment.  Enabling  patients  to  direct  what 
information  may  be  shared  electronically  is  the  same  as  saying  patients  may  direct  what 
information  is  withheld  from  their  physicians,  researchers  and  accreditors.  Critical  data 
could  be  omitted  from  aggregated  data  made  available  to  researchers  hoping  to 
improve  health  care  quality  and  patient  outcomes.  In  addition,  providers  are  very 
concerned  about  the  liability  that  might  result  from  their  reliance  on  incomplete 
information. 

We  often  hear  the  argument  that  physicians  already  are  relying  on  incomplete 
infonnation  and  that  at  least  a  partial  record  would  be  an  improvement.  We  would 
respond  that  given  the  resources  that  will  be  required  to  implement  health  IT,  it  would 
be  irresponsible  to  build  into  a  new,  more  expensive  medical  records  system  the  same 
drawbacks  that  are  inherent  in  our  current,  largely  paper-based  system.  If  we  want  to 
retain  the  inefficiency  and  lack  of  data  of  the  current  system,  the  nation  does  not  need 
to  spend  billions  of  dollars  on  health  information  technology. 

We  agree  that  use  of  a  national,  regional,  or  even  local  health  care  information 
exchange  will  require  patient  and  consumer  confidence,  it  will  be  cnjciai  to  educate 
consumers  and  patients  about  the  privacy  protections  and  penalties  enacted  under 
HIPAA  and  the  Security  Rule.  However,  providers  too  must  have  confidence  in  the 
integrity  of  the  data  provided  through  health  infonnation  exchange  in  order  to  assure 
utilization  of  such  a  system.  In  evaluating  proposals  to  require  consent  or  varying 
degrees  of  patient  control,  we  urge  the  Subcommittee  to  carefully  consider  the 
ramifications  for  health  care  delivery  and  public  health  that  such  steps  would  impose. 
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Addressing  this  issue  appropriately  will  be  essential  to  achieving  the  interoperability 
necessary  to  improve  the  quality  and  cost  effectiveness  of  the  health  care  system  - 
while  still  assuring  patients'  confidence  that  their  information  will  be  kept  private. 

lit.  HIPAA  Expansion  in  Health  Information  Exchange 

As  participants  throughout  the  process  of  developing  first  HIPAA  and  then  the  privacy 
rule,  we  believe  that  policymakers  worked  diligently  to  foresee  how  information  would 
move  in  the  coming  years.  Indeed,  the  rule  works  very  well  for  health  information 
exchange  within  HIPAA  covered  entities  and  activities. 

In  addition,  other  entities  beyond  HIPAA  covered  entities  comply  with  the  privacy  mle's 
requirements.  "Business  Associates"  of  covered  entities,  those  that  perform  certain 
functions  or  activities  on  behalf  of  a  covered  entity,  or  provide  services  to  a  covered 
entity  that  involve  the  use  or  disclosure  of  individually  identifiable  health  information,  are 
contractually  bound  to  the  rule's  standards  and  thus  are  contractually  prohibited  from 
making  any  use  or  disclosure  of  protected  health  information  that  would  violate  the 
Privacy  Rule. 

What  the  rule  did  not  contemplate  was  the  broad  movement  to  web-based  technology, 
instead  of  electronic  medical  records  housed  within  providers'  offices  or  at  hospitals. 
In  an  internet-based  world,  many  organizations  may  have  access  to  protected  health 
information,  some  without  the  patient's  knowledge.  Those  that  are  not  already 
complying  with  HIPAA,  either  as  a  covered  entity  or  business  associate,  should  be 
included  as  HIPAA-covered  entities.  For  example,  health  infonnation  exchanges  could 
be  regulated  as  HIPAA-covered  entities  if  they  cannot  be  determined  to  qualify  as 
health  care  clearinghouses. 

Regulation  of  personal  health  records  (PHRs)  is  somewhat  less  clear.  Under  current 
scenarios,  individuals  give  PHR  companies  permission  to  hold  their  data,  which  the 
company  maintains  for  them  in  a  record,  and  which  the  company  will  send  to  clinicians 
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and  health  care  providers  upon  the  authorization  of  the  patient  To  date,  the  companies 
providing  PHRs  include  health  plans,  stand-alone  organizations,  and  divisions  of  larger, 
diversified  companies  who  may  not  be  health  care  companies.  To  the  extent  that  these 
records  are  held  by  health  plans,  they  appear  to  be  captured  under  HIPAA.  To  the 
extent  that  they  are  not  held  by  health  plans,  they  are  essentially  unregulated,  other 
than  through  the  contractual  agreements  that  the  companies  have  with  the  individuals 
whose  records  they  hold. 

It  is  in  the  companies'  best  interests  to  keep  identifiable  information  confidential,  and  to 
date,  they  all  profess  to  adhere  to  extremely  strict  privacy  standards.  Assuming  that  the 
value  of  the  record  is  in  its  storage  and  transmission,  we  can  expect  companies  to 
adhere  to  their  strict  privacy  protections.  Should  the  value  of  the  records  for  other 
purposes  exceed  their  value  for  maintenance  and  distribution,  then  the  records  are 
somewhat  less  likely  to  be  kept  confidential. 

The  HLC  would  support  reasonable  efforts  to  ensure  that  personal  health  records  held 
by  organizations  that  are  not  HIPAA-covered  entities  meet  HIPAA  privacy  and  security 
rule  requirements-  The  challenge,  however,  is  how  to  structure  such  a  requirement. 

One  possibility  would  be  to  deem  health  information  exchanges  as  health  care 
clearinghouses  for  the  sake  of  simplicity. 

The  ramifications  of  extending  HIPAA  coverage  to  other  entitles  must  be  carefully 
considered,  but  we  strongly  believe  that  to  the  extent  that  additional  entities  are  brought 
into  federal  privacy  protections,  it  is  critically  important  not  to  upset  the  carefully 
calibrated  balance  HIPAA  has  struck  with  respect  to  access  to  information  and 
confidentiality. 

HLC  has  some  additional  concerns  about  how  well  the  HIPAA  privacy  rule  functions,  but 
given  the  questions  you  have  asked  us  to  address  In  this  meeting,  we  have  reserved 
them  in  an  addendum  to  the  testimony. 
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Conclusion 

In  conclusion,  I  want  to  thank  you  again  for  the  opportunity  to  testify  before  the 
Subcommittee.  HLC  strongly  supports  the  broader  implementation  of  HIT  -  HIT  offers 
unparalleled  potential  for  improvement  in  health  care  quality.  However,  patients' 
confidence  in  the  confidentiality  and  security  of  the  HIT  infrastructure  that  is  built  is 
essential  in  order  for  the  resources  spent  on  HIT  acquisition  and  development  to  be 
meaningful. 

We  would  urge  the  Subcommittee's  careful  consideration  of  the  ramifications  of 
changes  to  the  federal  regulations  governing  patient  confidentiality.  Such  changes,  if 
any,  should  be  measured  and  deliberate  in  order  to  continue  the  successful  track  record 
set  by  the  HIPAA  privacy  rule. 

Health  care  providers,  plans  and  clearinghouses  have  spent  significant  resources  to 
comply  with  the  HIPAA  privacy  rule.  Before  recommending  changes  to  the  rule,  we 
should  be  absolutely  certain  that  such  changes  are  indeed  necessary  in  order  to  justify 
the  diversion  of  scarce  resources  from  patient  care  to  administrative  compliance. 

Multi-state  electronic  exchange  of  data  is  already  occurring,  as  health  plans,  pharmacy 
benefit  managers,  pharmacists  use  their  interconnected  electronic  systems  to  pay 
claims,  fill  and  pay  for  prescriptions,  operate  disease  management  programs,  and  alert 
patients  and  clinicians  to  important  information.  While  patients  and  clinicians  are  as  yet 
unused  to  accessing  medical  files  electronically,  the  HIPAA  privacy  and  security 
protections  for  identifiable  information  have  worked  very  well  to  keep  patient-identifiable 
information  confidential.  There  is  no  reason  to  believe  that  these  same  protections, 
which  were  drafted  with  the  electronic  transmission  of  health  care  treatment  and  patient 
Information  in  mind,  will  not  work  equally  well  for  expanded  exchange  of  clinical 
information. 
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We  look  forward  to  continued  work  with  the  Subcommittee.  Any  questions  about  my 
testimony  or  these  issues  can  be  addressed  to  me  at  the  Healthcare  Leadership 
Council  (telephone  202-452-8700,  e-mail  mgrealy@hlc.org). 
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Addendum:  Other  concerns  about  HIPAA*s  current  requirements  in  the  context  of  HIT 


iV.     Minimum  Necessary 

HLC  believes  that  the  Privacy  Rule's  minimum  necessary  standard  -  which  already 
poses  significant  burdens  for  covered  entities  -  may  be  unworkable  in  the  context  of 
disclosures  made  through  health  information  exchange  from  health  care  providers. 
The  Privacy  Rule  provides  that  covered  entities  must  make  "reasonable  efforts"  when 
using,  disclosing  or  requesting  protected  health  information,  to  limit  the  information  to 
the  "minimum  necessary"  amount  needed  to  accomplish  the  intended  purpose  of  the 
use,  disclosure  or  request.  In  addition,  the  regulation  provides  that  covered  entities  may 
not  use,  disclose  or  request  an  entire  medical  record  unless  the  entire  record  is 
"specifically  justified"  as  the  amount  of  information  reasonably  necessary.  Disclosures 
to,  or  requests  by,  a  provider  for  treatment  purposes  are  exempt  from  the  standard  as 
are  uses  or  disclosures  made  pursuant  to  a  written  patient  authorization.  A  covered 
entity  may  rely  on  a  requested  disclosure  of  protected  health  information  from  another 
covered  entity  as  being  the  minimum  necessary  amount. 

This  standard  puts  covered  entities  receiving  requests  to  disclose  information  in  the 
position  of  determining  whether  the  requested  information  is  the  "minimum  necessary" 
amount,  when  only  the  entity  making  a  request  for  information  has  an  informed  basis  for 
determining  whether  the  information  is  the  minimum  necessary  for  its  purposes.  The 
legal  uncertainty  and  risk  created  by  this  standard  already  has  led  to  some  "defensive" 
information  practices  that  restrict  the  appropriate  flow  of  information  within  the  health 
care  system.  For  example,  some  providers,  citing  the  need  to  comply  with  the  HIPAA 
Privacy  Rule,  have  limited  access  by  health  plans  to  protected  health  information 
needed  to  perform  quality  assessment  and  improvement  programs,  utilization  review, 
case  management,  disease  management,  and  other  functions  related  to  maintaining  the 
affordability  of  health  coverage  and  improve  outcomes. 
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Especially  in  an  era  of  increasing  interest  in  comparing  the  effectiveness  of  treatments, 
it  is  critically  important  that  information  be  available  to  those  who  may  legally  access  it 
for  legitimate  reasons,  such  as  determining  the  relative  effectiveness  of  one  treatment 
versus  another,  and  that  patient  control  of  information  or  citations  of  the  minimum 
necessary  requirements  not  be  used  to  subvert  attempts  to  determine  optimal  and 
efficient  treatments  for  patients. 

For  participants  in  a  national  or  regional  health  information  network,  making  minimum 
necessary  determinations  -  or  even  determining  if  a  requesting  party  or  provider  is  a 
HIPAA  covered  entity  -  is  likely  to  be  extremely  challenging.  The  uncertainty  and 
resultant  liability  exposure  associated  with  the  minimum  necessary  standard  is  likely  to 
serve  as  a  barrier  to  participation  in  health  information  exchange.  Interoperability  and 
information  exchange  across  healthcare  settings  cannot  be  fully  met  if  a  physician  is 
required  to  adhere  to  a  nebulous  minimum  necessary  standard.  The  application  of  the 
minimum  necessary  standard  to  this  effort  may  in  fact  increase  medical  error  rates  by 
limiting  the  flow  of  medical  information  in  the  health  care  system  in  a  manner  that  is 
inconsistent  with  the  provision  of  quality  medical  care.  Consideration  should  be  given  to 
eliminating  the  standard,  or  creating  a  safe  harbor  for  when  personal  health  information 
is  exchanged  through  a  national  health  information  network  or  regional  health 
information  exchange. 

V.  Research 

We  are  also  concerned  that  current-law  restrictions  in  the  area  of  research  will  prevent 
health  information  exchange  from  achieving  its  ultimate  objective  as  a  tool  to  improve 
quality  of  care. 

Research  uses  and  disclosures  are  an  essential  part  of  the  national  HIT  infrastructure 
envisioned  in  many  scenarios,  especially  as  it  pertains  to  improvement  of  patient  care. 
The  data  collected  in  this  effort  will  be  crucial  to  achieving  key  objectives  of  this  initiative, 
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particularly  the  goal  of  improving  population  health  by  accelerating  the  movement  of  the 
fruits  of  research  into  delivery  systems  in  a  meaningful  way. 

The  HIPAA  Privacy  Rule  also  recognizes  the  importance  of  research  to  improving  the 
quality  of  healtfi  care  and  took  steps  to  ensure  that  researchers  would  have  continuing 
access  to  health  information.  Under  the  Privacy  Rule,  numerous  entities,  including  non- 
covered  entities,  receive  and  analyze  de-identified  data  or  limited  data  sets  to  assist 
health  care  providers,  health  plans,  government,  the  health  care  management 
communities  and  manufacturers  conduct  market,  utilization  and  outcomes  research, 
implement  best  practices,  and  apply  and  benefit  from  economic  analyses.  Data 
researchers  have  helped  implement  prescription  drug  recall  programs,  performance  of 
pharmaceutical  market  studies,  and  assessment  of  drug  utilization  patterns.  In  these 
areas  and  many  others  the  HIPAA  framework  took  care  to  protect  patient  privacy  while 
permitting  data  use  for  research  where  appropriate. 

We  are  concerned,  however,  that  in  some  instances  the  HIPAA  Privacy  Rule  failed  to 
achieve  the  proper  balance  and  is  inappropriately  restricting  access  to  health 
information  for  researchers.  In  particular,  requiring  expiration  dates  or  events  on  all 
research  authorizations  and  prohibiting  individuals  from  granting  authorization  to  use 
their  health  data  in  unspecified  future  studies  is  limiting  the  on-going  use  of  research 
data  in  ways  that  are  detrimental  to  the  health  care  system.  Under  the  Common  Rule 
that  has  governed  human  subject  research  for  decades,  it  is  generally  permissible  to 
obtain  infomied  consent  from  a  participant  to  use  data  for  future  research  on  data  or 
biologic  materials  stored  in  databases  or  tissue  banks.  The  Privacy  Rule  does  not 
permit  authorization  for  virtually  any  unspecified  future  uses.  The  Secretary's  Advisory 
Committee  on  Human  Research  Protections  (SACHRP)  has  recommended  that  the 
HIPAA  Privacy  Rule  permit  future  uses  that  are  allowed  under  the  Common  Rule.  We 
agree  that  the  Privacy  Rule  needs  to  be  modified  in  this  area  to  be  consistent  and  note 
that  these  restrictions,  if  not  addressed,  will  have  a  significant  impact  on  the  ability  of 
stakeholders  to  achieve  critical  goals  of  HIT. 
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Mr.  Clay.  Thank  you  so  much,  Ms.  Grealy,  for  that  testimony. 
Mr.  Pickard,  you  may  proceed. 

STATEMENT  OF  BYRON  PICKARD 

Mr.  Pickard.  Chairman  Clay  and  members  of  the  subcommittee, 
thank  you  for  this  opportunity  to  testify.  I  will  be  testifying  on  be- 
half of  AHIMA,  but  will  also  draw  upon  my  professional  experi- 
ences to  describe  the  public/private  efforts  currently  underway  ex- 
ploring the  privacy  of  electronically  transmitted  health  information. 

My  written  testimony  addresses  some  areas  of  specific  interest  to 
our  profession;  namely,  expansion  of  privacy  protections  for  per- 
sonal health  records,  differences  between  HIPAA  at  business  asso- 
ciates and  non-covered  third-party  contractors,  and  protecting  stu- 
dent health  information,  and  conflicts  between  HIPAA  and  FERPA. 
AHIMA  also  has  a  foundation  of  research  and  education,  which  has 
received  several  grants  and  contracts  from  the  Office  of  the  Na- 
tional Coordinator  and  others.  I  have  attached  a  list  of  those  com- 
mitments. 

Mr.  Chairman,  the  HIM  professionals'  responsibilities  are  inter- 
woven with  privacy  and  security  issues.  The  expansion  of  confiden- 
tiality management  and  protection  is  impacted  not  only  by  HIPAA 
but  also  by  the  health  care  industry's  continued  transformation 
from  a  paper  intensive  industry  to  one  of  electronic  records  and 
transmissions. 

I  wish  I  could  tell  you  that  the  health  care  industry  has  been 
transformed  into  a  fully  electronic  system,  but,  in  fact,  I  cannot. 
We  are  in  the  midst  of  what  would  be  a  long  transition. 

In  working  through  these  transitional  issues,  AHIMA  has 
partnered  with  the  American  Medical  Informatics  Association  and 
we  have  produced  two  joint  statements  relative  to  today's  discus- 
sion, one  on  health  information  confidentiality,  and  the  other  on 
the  value  of  personal  health  records.  With  so  much  history  and  ex- 
perience in  the  protection  of  health  information,  it  is  important  to 
note  AHIMA's  position.  Our  written  testimony  contains  our  full  list 
of  health  information  confidentiality  principles. 

As  our  health  care  system  becomes  more  interconnected,  our 
networked  health  information  will  flow  across  a  range  of  entities 
and  boundaries.  It  will  be  critical  to  follow  these  principles.  Privacy 
protections  must  follow  personal  health  information  [PHI],  no  mat- 
ter where  it  resides,  and  uniform  and  universal  protections  for  PHI 
should  apply  across  all  jurisdictions  in  order  to  facilitate  consistent 
understanding  and  compliance. 

Considerable  time  has  been  spent  exploring  and  developing  elec- 
tronic health  information  exchange  and  how  to  protect  health  infor- 
mation by  the  Agency  for  Health  Care  Research  and  Quality,  a 
American  health  information  community,  the  Office  of  the  National 
Coordinator,  and  others.  These  initiatives  and  their  impact  on  pri- 
vacy and  security  are  detailed  in  our  written  testimony. 

AHIMA  members,  and  especially  those  who  fill  the  role  of  pri- 
vacy office,  are  noting  that  the  issue  of  confidentiality  is  moving  be- 
yond just  health  care.  With  the  banking  and  finance  industries 
handling  health  information  more  frequently,  it  has  become  appar- 
ent that  we  must  soon  address  the  comprehensive  protection  of  an 
individual's  information,  White  House  whether  it  is  financial  or 
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health  related.  This  is  an  issue  that  Congress  will  need  to  inves- 
tigate as  we  see  more  change  in  the  bordering  of  industry  bound- 
aries. 

We  also  see  a  need  for  consumer  education  to  address  confiden- 
tiality and  security,  as  well  as  the  value  of  health  information  tech- 
nology usage.  It  is  only  with  consumer  trust  that  a  national  infra- 
structure can  be  built  and  laws  adopted  or  modified  to  facilitate  in- 
formation exchange. 

AHIMA  has  long  called  for  consumer-based  personal  health 
records,  in  addition  to  the  standard  provider-based  electronic 
health  records.  While  we  have  never  endorsed  a  PHR  product,  we 
have  called  for  consumers  to  use  a  PHR,  whether  in  paper  or  elec- 
tronic form,  to  track  their  own  health  status.  To  support  this  goal, 
AHIMA  embarked  upon  a  PHR  consumer  education  campaign  that 
combines  the  use  of  a  consumer  Web  site  with  public  presentations 
by  AHIMA  members  in  each  and  every  State. 

AHIMA  is  leading  an  effort  to  ensure  interoperability  of  the 
PHR,  with  the  new  health  level  seven  standard  electronic  health 
record,  and  we  expect  to  see  a  new  PHR  electronic  standard  from 
HL-7  in  the  near  future. 

AHIMA's  believe  that  protections  should  follow  personal  health 
information,  no  matter  where  it  might  be  stored  or  transferred, 
clearly  extends  to  PHRs.  PHRs  can  be  stored  or  offered  by  a  variety 
of  different  vendors  or  operators.  Some  of  these  vendors  are 
HIPAA-covered  entities,  and  others  are  not. 

Protections  against  the  discrimination  and  misuse  of  PHR  infor- 
mation must  be  established  along  with  a  requirement  that  any  ac- 
cess or  use  of  PHR  information  be  governed  by  a  separate  author- 
ization unless  otherwise  required  by  law.  Except  for  PHRs  offered 
by  health  care  providers,  we  believe  that  individuals  should  be 
given  the  right  to  opt  out  of  a  PHR  being  built  for  them  or  their 
family  members. 

The  answers  are  not  simple.  As  the  AHIC  and  the  NCVHS  and 
others  discuss  and  provide  recommendations  in  the  privacy  and  se- 
curity area.  Congress  can  also  begin  to  look  at  some  very  important 
issues:  that  confidentiality  of  protections  follow  the  information  no 
matter  where  it  resides  or  is  transferred;  that  comprehensive  non- 
discrimination laws  have  harsh  penalties  for  the  intentional  misuse 
of  health  information;  that  we  prosecute  those  who  break  these 
laws;  that  we  penalize  those  entities  that  are  non-compliant  with 
confidentiality  and  security  laws  and  regulations;  that  conflicts  be- 
tween HIPAA  versus  FERPA  be  eliminated  in  favor  of  consistent 
and  strong  confidentiality;  and  that  proposed  laws  be  reviewed  to 
identify  barriers  that  may  arise  that  would  impede  the  deployment 
of  health  information  technology  products,  expansion  of  health  in- 
formation exchange,  and  critical  uses  of  health  information. 

Mr.  Chairman  and  members  of  the  subcommittee,  I  hope  that  our 
testimony  has  given  you  an  insight  into  the  aspects  of  health  care 
confidentiality  and  security  that  you  are  seeking,  and  that  our  rec- 
ommendations will  provide  you  with  guidance  as  you  address  the 
many  difficult  questions  facing  our  community.  I  stand  ready  to  an- 
swer any  further  questions  or  concerns  you  might  have. 

Thank  you. 

[The  prepared  statement  of  Mr.  Pickard  follows:] 
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Introduction 

Chairman  Clay  and  members  of  the  Subcommittee,  thank  you  for  inviting  the  American  Health 
Information  Management  Association  (AHIMA)  to  testify  today  on  current  privacy  policies  (HIPAA), 
and  the  challenge  of  integrating  adequate  privacy  protections  into  a  national  health  IT  infrastructure. 
My  name  is  Bryon  Pickard,  MBA,  RHIA  and  I  am  the  current  President  of  AHIMA.  AHIMA  is  the 
premier  association  of  health  information  management  (HIM)  professionals  whose  more  than  5 1 ,000 
members  are  dedicated  to  the  effective  management  and  analysis  of  the  health  data  and  information 
needed  to  deliver  quality  healthcare.  Founded  in  1928  to  improve  the  quality  of  medical  records, 
AHIMA  is  committed  to  advancing  the  HIM  profession  in  an  increasingly  electronic  and  global 
environment  through  leadership  in  advocacy,  education,  certification  and  lifelong  learning. 

In  addition  to  my  role  as  President  of  AHIMA,  I  am  the  director  of  operations  for  the  Vanderbilt 
Medical  Group  Business  Office  at  Vanderbilt  University  Medical  Center  in  Nashville  Tennessee.  I 
have  also  participated  in  privacy,  confidentiality  and  security  design  vi^orkgroups  for  the  Vanderbilt 
Center  for  Better  Health  and  e-Health  initiatives  focusing  on  regional  and  state-wide  health 
information  exchange  projects  in  Tennessee.  My  experience  also  includes  leading  integration,  merger 
and  audit  strategies  for  health  information  systems,  registration  and  patient  accounting  applications, 
and  I  currently  serve  as  a  member  of  the  practice  management  application  IT  advisory  committee  at 
Vanderbilt. 

Today,  I  will  be  testifying  on  behalf  of  AHIMA  but  will  draw  upon  my  professional  experiences  at 
Vanderbilt  and  the  previous  environments  in  which  I  worked.  My  testimony  will  focus  on  the  public 
private  efforts  underway  to  ensure  the  privacy  of  electronically  transmitted  health  information  and  the 
effectiveness  of  our  current  laws  and  regulations  governing  the  use  and  disclosure  of  such  information. 
In  addition,  I  will  address  some  specific  areas  that  are  of  specific  interest  to  our  profession  and  the 
reason  for  today's  hearing: 

•  Expansion  of  privacy  protections  for  personal  health  records 

•  Differences  between  HIPAA  "business  associates"  and  non-covered  third-party  contractors 

•  Protecting  student  health  information:  Health  Insurance  Portability  and  Accountability  Act 
(HIPAA)  vs.  Family  Educational  Rights  and  Privacy  Act  (FERPA) 

For  almost  80-years,  the  HIM  profession  has  strived  to  maintain  the  confidentiality  of  health  records 
and  be  the  patient's  advocate  within  the  healthcare  system.  It  is  with  AHIMA' s  history  and 
experience,  along  with  my  own,  and  those  of  the  AHIMA  members  that  I  have  met  as  an  officer  and 
director  of  AHIMA  and  the  Tennessee  Health  Information  Management  Association  (THIMA)  that  I 
come  before  you  today  prepared  to  respond  to  your  concerns  and  questions  on  the  confidentialit>'  and 
security  of  health  information. 

For  full  disclosure,  I  must  note  that  AHIMA  is  comprised  of  over  51,000  healthcare  professionals 
affiliated  with  one  of  52  state  associations.  In  addition  to  a  detailed  academic  curriculum,  most 
AHIMA  members  are  also  certified  in  one  or  more  areas  of  HIM,  including  a  certification  in  privacy 
and  security.  AHIMA  also  has  a  foundation,  the  AHIMA  Foundation  for  Research  and  Education 
(FORE),  which  is  involved  in  a  variety  of  research  and  academic  scholarship  endeavors.  It  is  through 
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the  reputation  and  experience  of  AHIMA  members  that  FORE  has  received  several  grants  and 
contracts  from  the  Department  of  Health  and  Human  Services'  (HHS)  Office  of  the  National 
Coordinator  for  Health  Information  Technology  (ONC).  The  grants  and  contracts  are  focused  on  state 
health  information  exchange  analysis,  the  potential  for  fraud  associated  with  electronic  records,  and 
subcontracts  associated  with  the  area  of  privacy  and  security.  I  have  attached  a  list  of  those 
commitments  to  this  testimony. 

Mr.  Chairman,  the  HIM  professional's  responsibilities  are  interwoven  with  privacy  and  securit>'  issues. 
With  the  advent  of  privacy  and  security  rules  associated  with  the  Health  Insurance  Portabilit\-  and 
Accountability  Act  of  1996  (HIPAA),  our  profession  undertook  the  role  of  addressing  confidentialitj- 
and  security  as  it  relates  to  the  electronic  transmission  of  healthcare  data — the  use,  access  and 
disclosure  of  health  information  to  persons  other  than  the  individual  or  the  individual's  representative. 
As  you  are  aware,  the  adoption  of  the  HIPAA  privacy  rule  was  not  without  considerable  debate  and  the 
implementation  took  considerable  time,  effort,  and  resources. 

The  expansion  of  confidentiality  management  and  protection  was  impacted  not  only  by  HIPAA,  but 
also  by  the  healthcare  industry's  continued  transformation  from  a  paper-intensive  industr}-  to  one  of 
electronic  records  and  transmissions.  I  wish  I  could  tell  you  that  the  healthcare  industry  has  been 
transformed  into  a  flilly  electronic  system,  but,  in  fact,  I  cannot.  Rather  we  are  in  the  midst  of  what 
will  be  a  long  transition  that  will  see  the  introduction  and  implementation  of  a  standard,  electronic 
health  record,  personal  health  records,  and  health  information  exchange  networks  also  called  Regional 
Health  Information  Organizations  (RHIO)  or  Regional  Health  Information  Networks  (RHINs). 

In  working  through  these  transitional  issues,  AHIMA  has  often  partnered  with  the  American  Medical 
Informatics  Association  (AMIA)  to  form  what  we  believe  is  a  responsible  approach  to  the  healthcare 
industry's  transformation.  I  want  to  mention  this  relationship  because  AHIMA  and  AMIA  have 
produced  two  joint  statements  relevant  to  today's  discussion: 

•  The  AHIMA-AMIA  Joint  Position  Statement  on  Health  Information  Confidentiality 

•  The  AHIMA-AMIA  Joint  Position  Statement  on  the  Value  of  Personal  Health  Records 

With  so  much  history  and  experience  in  the  protection  of  health  information  and  our  involvement  in 
the  current  transformation  of  our  healthcare  system,  it  is  important  to  state  AHIMA's  position  related 
to  today's  topic — current  privacy  policies  (HIPAA)  and  the  challenge  of  integrating  adequate  privacy 
protections  into  a  national  health  IT  infrastructure.  First,  any  organization  that  accesses  or  stores 
personal  health  information  should  abide  by  the  following  principles: 

•  Inform  individuals,  through  clear  communications,  about  their  rights  and  obligations  and  the 
laws  and  regulations  governing  protection  and  use  of  personal  health  information  (PHI). 

•  Notify  individuals  in  clear  language  about  the  organization's  privacy  practices  and  their  rights 
in  cases  of  security  breaches 

•  Provide  individuals  with  a  convenient,  affordable  mechanism  to  inspect,  copy,  or  amend  their 
identified  health  information/records 

•  Protect  the  confidentiality  of  PHI  to  the  fullest  extent  prescribed  under  HIPAA,  regardless  of 
whether  the  organization  is  a  "covered  entity"  as  defined  in  HIPAA,  and  ensure  that  the 
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organization  and  its  employees  all  comply  with  HIPAA,  state  laws,  and  the  policies  and 
procedures  put  in  place  to  protect  PHI. 

•  Use  PHI  only  for  legitimate  purposes  as  defined  imder  HIPAA  or  applicable  laws. 

•  Prohibit  the  use  of  PHI  for  discriminatory  practices,  including  those  related  to  insurance 
coverage  or  employment  decisions. 

•  Timely  notification  of  individuals  if  security  breaches  have  compromised  the  confidentiaIit>'  of 
their  personal  health  information. 

•  Work  with  appropriate  law  enforcement  to  prosecute  to  the  maximum  extent  allowable  by  law 
any  individual  or  organization  who  intentionally  misuses  PHI. 

•  Continue  to  improve  processes,  procedures,  education,  and  technology  so  that  PHI  practices 
improve  over  time. 

As  our  healthcare  system  evolves  and  becomes  more  interconnected,  health  information  will  flow 
across  a  range  of  organizational,  state  and  potentially  international  boundaries  through  a  nationwide 
health  information  network  structure.  As  we  evolve  into  this  structure,  it  will  be  critical  to  follow 
principles  covering  health  information  when  it  is  transferred  between  entities  and  across  boundaries: 

•  Health  information  privacy  protections  must  follow  PHI  no  matter  where  it  resides. 

•  Uniform  and  universal  protections  for  PHI  should  apply  across  all  jurisdictions  in  order  to 
facilitate  consistent  understandmg  and  compliance  by  those  covered  by  such  laws  and  the 
individuals  whose  health  information  is  covered  by  such  laws. 

Trends  are  Changing-Health  Information  Exchange 

As  members  of  the  subcommittee  are  aware,  a  number  of  efforts  are  underway  to  address  many  of  the 
issues  we  have  discussed  today.  AHIMA,  the  healthcare  industry,  and  those  of  us  in  Tennessee  have 
spent  considerable  time  and  energy,  as  has  the  Congress,  exploring  and  developing  electronic  health 
information  exchange.  Whether  v,'e  call  such  an  exchange  a  RHIO  or  an  HIE,  the  concept  of  moving 
healthcare  data  electronically  is  a  critically  important  topic  that  we  have  now  discussed  for  a  multitude 
of  years.  We  have  seen  various  groups  agonize  over  how  to  protect  health  information,  based  on 
where  it  is  stored,  how  it  might  be  transmitted  or  accessed.  They  have  also  agonized  over  various 
protections  for  specific  types  of  data  as  behavioral  health,  HIV,  genetic  information,  and  so  forth.  The 
importance  of  specific  types  of  data  is  in  the  eye  of  the  beholder.  Our  experience  has  indicated  to  us 
that  ail  health  information  should  be  treated  equally — specific  policy  protections  for  specific  types  of 
data  can  give  away  its  type.  Yes,  you  can  build  extra  layers  of  security  requirements  in  your  systems 
to  protect  the  data  but  specific  policy  requirements  can  cause  problems. 

The  HHS  Agency  for  Health  Research  and  Quality  (AHRQ)  through  its  subcontractor  RTI  is  finishing 
a  research  project  -  Health  Information  Security  and  Privacy  Collaboration  (HISPC)  -  that  covered  the 
privacy  and  security  environment  of  some  34  states  and  territories.  The  final  report  from  this  project  is 
due  shortly  and  separate  reports  have  been  generated  by  the  34  states  and  territories,  indicating  where 
laws,  regulations,  and  business  practices  related  to  privacy  and  security,  potentially  stand  as  barriers  to 
the  implementation  of  standard  Electronic  Health  Records  (EHR)  and  the  exchange  of  electronic  health 
information.  Already,  many  of  the  groups  that  participated  in  this  effort  at  the  state  level,  have 
indicated  that  they  have  or  will  undertake  additional  efforts  to  address  and  resolve  these  barriers  on  a 
state  level.  At  the  same  time,  these  same  groups  have  indicated  that  such  projects  may  take  multiple 
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years.  For  instance,  the  group  involved  in  Florida  indicated  that  there  are  over  60  chapters  of  state  law 
that  need  to  be  addressed  to  arrive  at  a  uniform  set  of  code  to  address  health  information  privacy  in  that 
state.  While  we  would  like  to  see  uniformity  at  the  state,  regional,  and  national  level,  we  must 
recognize  just  what  a  large  project  this  will  be. 

ONC,  based  on  preliminary  reports  from  the  AHRQ  effort,  and  the  State  HIE  Best  Practice  Project 
(that  AHIMA/FORE  coordinated)  has  engaged  the  National  Governors  Association  (NGA)  to  look  at 
the  potential  to  design  uniform  state  laws  or  regulations  that  might  bring  us  the  uniformity  and 
consistency  needed  for  a  national  health  information  exchange  system  or  network.  The  NGA  effort 
began  this  last  January.  Included  in  the  effort  is  a  committee  addressing  the  protection  of  health 
information.  The  NGA  is  aware  that  there  are  several  more  formal  efforts  that  have  already  begun  in 
the  states  by  some  individual  governors.  It  is  unclear  if  the  governor's  themselves  are  trying  to  keep 
their  individual  efforts  open  to  national  uniformity  as  they  move  forward. 

Secretary  Leavitt  initiated  the  American  Health  Information  Community  (AHIC)  in  2005.  While 
privacy  was  not  an  initial  focus,  the  Community  quickly  identified  the  need  to  address  confidentiality 
issues  in  their  efforts,  and  a  workgroup  on  Confidentiality,  Privacy,  and  Security  was  formed.  This 
group  has  addressed  some  areas  of  identity  proofing  and  the  need  to  protect  PHI  wherever  it  might 
reside,  but  it  also  has  indicated  that  there  are  many  more  efforts  needed  including  the  authentication  of 
individuals  involved  in  health  information. 

As  the  Community  has  addressed  standards,  and  the  need  for  confidentiality,  it  has  also  made 
recommendations  for  how  standards  may  be  affected  by  privacy  and  the  need  for  certification  of  health 
information  technology  products  that  include  basic  security  to  facilitate  confidentiality.  As  a  result  of 
this  effort,  the  Health  Information  Technology  Standards  Panel  (HITSP)  is  looking  at  confidentiality 
and  privacy  standards,  and  the  Commission  for  Certification  of  Health  Information  Technology 
(CCHIT)  is  looking  to  establish  certification  criteria  to  identify  technology  that  meets  the  principles 
established  by  the  Community  and  HHS. 

As  noted,  the  HHS  National  Committee  on  Vital  and  Health  Statistics  (NCVHS)  has  had  health 
information  confidentiality  as  a  focus  ever  since  NCVHS  was  designated  as  the  advisory  committee  to 
oversee  HIPAA.  In  recent  years  the  NCHVS  Privacy  and  Confidentiality  Subcommittee  has 
concentrated  on  post-HIPAA  privacy  and  security  issues  as  well  as  confidentiality  as  it  applies  to  a 
nationwide  health  information  network  and  personal  health  records.  While  AHIMA  does  not  support 
all  the  recommendations  of  the  NCVHS,  we  have  been  very  pleased  with  the  work  and  testimony  that 
the  committee  has  undertaken,  and  as  noted  we  specifically  would  point  out  their  efforts  on  HIPAA 
versus  FERPA. 

As  members  of  the  committee  are  aware,  the  House  has  passed  legislation  related  to  nondiscrimination 
on  the  basis  of  genetic  information  (HR  493,  the  "Genetic  Information  Nondiscrimination  Act").  This 
legislation  is  now  on  "hold"  in  the  Senate.  As  I  have  noted,  AHIMA  believes  that  nondiscrimination 
should  apply  to  all  health  information,  not  just  genetic  and  we  would  hope  that  Congress  would 
consider  such  an  approach. 

Our  members,  especially  those  who  fill  the  role  of  privacy  officers  (required  by  HIPAA)  are  noting 
that  the  issue  of  privacy  for  them  is  moving  beyond  just  healthcare.  With  the  banking  and  finance 
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industries  becoming  more  involved  in  privacy  we  see  that  we  must  soon  address  the  protection  of  an 
individual's  information  uniformly  whether  it  is  financial  or  healthcare.  This  is  an  issue  that  Congress 
will  need  to  follov^-  as  we  see  more  movement  and  change  in  healthcare. 

As  I  have  mentioned,  we  also  see  a  need  for  consumer  education.  Education  needs  to  address 
confidentiality-  and  security  as  well  as  health  information  technology  and  the  new  environment.  It  is 
only  with  consumer  trust  that  we  can  build  a  national  infrastructure  and  adopt  or  modify'  laws  to 
facilitate  such  an  exchange. 

1  have  also  alluded  to  that  fact  that  AHIM.A,  and  its  members  are  verj'  involved  in  the  area  of 
confidentiaiit}'  and  securit>'.  Many  of  our  members  are  involved  in  efforts  surrounding  the  PHR.  HIE. 
and  protections  for  health  records  whether  they  are  paper,  electronic,  or  hybrid  form.  While  it  would 
be  wonderful  to  see  one  concerted  effort,  we  know  from  experience  that  there  is  a  tremendous  amount 
of  work  that  needs  to  be  done  because  of  our  federal  foundation  and  approach  to  legislation  and 
regulation,  as  well  as  the  evolution  that  is  going  on  in  health  information  technology  and  management. 

Expansion  of  Privacy  Protection  for  PHRs 

AHIMA  has  long  called  for  consumer-based  personal  health  records  in  addition  to  provider-based 
electronic  health  records.  This  goes  back  e\-en  before  the  creation  of  jump-drives  and  web-based 
portals.  It  has  been  our  contention  that  consumers  should  have  a  copy  of  their  medical  record,  track 
their  current  health  status,  and  ha\  e  an  o\  erall  healthcare  awareness.  We  have  never  endorsed  a 
method  or  a  PHR  product.  We  have  just  endorsed  that  consumers  should  use  a  PHR — whether  in 
paper  or  electronic  form. 

To  spread  the  word  on  the  importance  of  PHRs,  AHIMA  embarked  upon  a  consumer-education 
campaign.  This  campaign  combined  the  use  of  a  consumer  web  site,  v\w\\. mvPHR.com.  with 
nationwide  public  speaking  engagements  by  AHIM.A  members  in  each  and  ever>'  state. 

The  web  site  is  a  tool  that  helps  visitors  some  important  questions  about  personal  health  records; 

•  WTiy  start  a  PHR? 

•  WTiat  should  your  PHR  contain? 

•  WTiat  are  the  steps  to  be  taken  to  create  a  PHR? 

•  Are  there  different  ways  to  keep  your  PHR? 

In  addition,  the  site  provides  a  fi-ee  health  record  form  that  will  help  consumers  start  their  own  PHRs. 

As  our  public-education  campaign  continues,  so  do  personal  health  record  developments.  .Although 
there  is  no  single  model  of  a  personal  health  record,  there  are  some  important  concepts  that  should 
apply  to  any  PHR. 

Today,  .A.HIMA  and  others  in  the  industr\'  are  working  hard  on  interoperable  and  data  standards 
that  will  ensure  that  any  electronic  PHR  is  capable  of  being  interoperable  with  the  standard  EHR 
and  other  electronic  records.  Currently,  AHIMA  is  leading  an  effort  to  ensure  the  interoperabilit)^ 
of  the  PHR  widi  the  Health  Level  Seven  (HL7)  standard  electronic  health  record.  We  expect  to  see 
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a  new  HL7  standard  in  the  not  too  distant  future.  AHIMA  defines  the  PHR  as  "...an  electronic, 
universally  available,  lifelong  resource  of  health  information  needed  by  individuals  to  make  health 
decisions.  Individuals  own  and  manage  the  information  in  the  PHR,  which  comes  from  healthcare 
providers  and  the  individual.  The  PHR  is  maintained  in  a  secure  and  private  environment,  with  the 
individual  determining  rights  of  access.  The  PHR  is  separate  from  and  does  not  replace  the  legal 
record  of  any  provider." 

As  I  indicated,  AHIMA  believes  that  protection  should  follow  the  personal  health  information  no 
matter  where  it  might  be  stored  or  transferred.  This  clearly  extends  to  PHRs,  which  can  be  stored  or 
offered  by  a  variety  of  different  vendors  or  operators.  Some  of  these  vendors  are  covered  by  HIPAA, 
because  they  have  some  healthcare  claims  function  that  has  made  them  a  HIPAA-covered  entity.  A 
few  vendors  may  be  covered  by  state  law,  but  it  must  be  noted  that  neither  HIPAA  nor  most  state  laws 
considered  PHRs.  The  industry  is  moving  that  quickly. 

Clearly  today,  PHRs  offered  by  non-HIPAA-covered  entities  have  no  protection  unless  there  is  state 
legislation  that  specifically  addresses  the  issue.  Even  if  state  legislation  exists,  there  is  concern  if  the 
PHR  operator  is  in  one  state,  and  the  consumer  is  in  another,  which  law  applies  and/or  prevails.  In  line 
with  consumer  concerns  related  to  discrimination  and  misuse  of  personal  health  information,  we 
recommend  that  uniform  laws  be  written  to  cover  the  misuse  of  personal  health  information  regardless 
of  where  it  resides  or  is  transmitted  -  this  would  then  include  the  personal  health  record. 

A  concern  with  the  information  in  a  PHR  relates  to  who  has  access  and  can  use  the  information  beyond 
the  individual.  As  I  noted,  there  are  a  variety  of  models  of  PHRs  offered  HIPAA  covered  entities  and 
others.  The  question  is  what  access  and  responsibilities  should  govern  the  operator  or  vendor  of  the 
PHR.  Some  health  plans  have  indicated  that  they  have  the  right  to  access  and  use  PHRs  they  operate 
under  the  "Treatment,  Payment,  and  Healthcare  Operations  (TPO)  of  HIPAA.  We  think  such  access 
for  a  PHR  should  be  questioned.  The  first  word  in  PHR  is  "personal"  and  it  makes  sense  that  the 
individual  provide  an  additional  authorization  for  any  access  or  use  of  this  PHR  record  set  outside  of 
the  individual's  ovm  use.  If  the  individual  cannot  control  the  access  and  use  to  their  own  PHR,  their 
ability  to  trust  and  ensure  the  appropriate  use  of  their  personal  information  will  be  eroded.  This  is 
especially  true  when  the  PHR  is  in  the  hands  of  a  third  party  where  there  is  a  concern  about  potential 
misuse  or  discrimination. 

Our  recommendation,  therefore,  not  only  extends  to  protection  against  the  discrimination  and  misuse 
of  PHR  information,  but  also  for  establishing  a  requirement  that  any  access  or  use  be  governed  by  a 
separate  authorization  unless  otherwise  required  by  law.  In  addition,  except  for  PHRs  offered  by 
healthcare  providers,  we  believe  that  individuals  (in  this  case  usually  subscriber  or  employees)  should 
be  given  the  right  to  opt-out  of  a  PHR  being  built  for  them  or  their  affected  family  members.  This 
would  mean  that  no  PHR  would  be  populated  even  with  claims  data. 

While  we  have  some  concerns  for  how  some  PHRs  are  populated  with  claims  data,  we  are  pleased  to 
see  healthcare  providers,  health  plans,  employers,  and  other  types  of  organizations  take  steps  to  make 
such  records  available  for  individuals  and  for  healthcare  providers  when  such  data  is  needed.  Even  so, 
the  consumer  must  be  fully  aware  of  how  the  record  is  populated  and  how  it  can  be  accessed  and  used. 
Not  only  used  by  themselves,  but  by  their  healthcare  providers  and  by  the  operators  of  the  PHR.  If 
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awareness  is  not  a  component,  PHRs  will  fall  into  misuse,  which  itself  could  endanger  the  health  of  the 
individual. 

Difference  Between  Business  Associates  and      Party  Non-Covered  Entities 

The  privacy  officer  members  of  AHIMA  have  often  cited  the  business  associate  requirement  as  one  of 
the  more  difficult  aspects  of  HIPAA  to  manage.  This  is  especially  true  when  you  have  a  small 
provider  contracted  with  a  very  large  subcontractor  who  sets  the  tone  of  the  relationship.  Business 
associates  in  the  realms  of  privacy  would  be  subcontractors  of  HIPAA  covered  entities,  which,  as  I 
have  already  noted,  are  not  all  the  parties  that  could  be  involved  with  personal  health  information. 
Under  HIPAA,  the  covered  entity  would  identify  the  HIPAA  responsibilities  to  the  subcontractor  or 
business  associate  and  the  business  associate  would  then  be  responsible  for  compliance.  If  a  HIPAA 
entity  discovered  that  a  business  associate  was  not  in  compliance  with  HIPAA  then  it  would  take 
corrective  action  or  cancel  the  contract.  The  contracts  also  become  difficult  to  manage  when  the 
covered  entity's  subcontractor  itself  subcontracts  out  to  complete  the  work  requirements  in  the 
contract.  As  we  have  seen  in  some  cases,  this  subcontractor  list  can  extend  to  multiple  parties. 

Once  again,  situations  such  as  these  show  the  need  for  the  confidentiality  and  security  protections  to 
follow  the  data  no  matter  where  it  resides  or  is  transferred.  The  entity  holding  the  identifiable  personal 
health  information  should  be  responsible  for  its  safekeeping.  The  Confidentiality,  Privacy,  and 
Security  (CPS)  Workgroup  of  the  HHS  advisory  body  AHIC  last  week  made  a  similar 
recommendation  to  the  Secretary.  The  CPS  recommended: 

•  "All  persons  and  entities,  excluding  consumers,  that  participate  directly  in,  or  comprise,  an 
electronic  health  information  exchange  network,  through  which  individually  identifiable  health 
information  is  stored,  compiled,  transmitted  modified,  or  accessed  should  be  required  to  meet 
enforceable  privacy  and  security  criteria  at  least  equivalent  to  any  relevant  HIPAA  requirements 
(45  CFR  Parts  160  and  164).  " 

•  "Furthermore,  any  person  or  entity  that  functions  as  a  Business  Associate  (as  described  in  45  CFR 
§160.103)  and  participates  directly  in,  or  comprises,  an  electronic  health  information  exchange 
network  should  be  required  to  meet  enforceable  privacy  and  security  criteria  at  least  equivalent  to 
any  relevant  HIPAA  requirements,  independent  of  those  established  by  contractual  arrangements 
(such  as  a  Business  Associate  Agreement  as  provided  for  in  HIPAA).  " 

AHIMA's  immediate  past  president,  Jill  Callahan  Dennis,  JD,  RHIA,  is  a  member  of  the  CPS 
workgroup  and  we  believe  these  recommendations  make  a  lot  of  sense.  The  world  is  far  too 
complicated  to  be  able  to  use  a  "business  associate"  approach  especially  when  we  are  discussing 
electronic  health  exchange  among  a  variety  of  different  entities.  Again,  let  the  protections  follow  the 
data,  and  make  all  parties  responsible  for  confidentiality. 

Employer  Requests  for  Information 

Another  important  issue  in  the  current  personal  health  information  landscape  concerns  employer 
requests  for  health  information.  If  you  have  seen  some  of  the  consumer  polls,  you  know  that 
consumers  have  indicated  less  concern  for  where  their  health  information  resides.  Why?  Consumers 
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want  their  health  information  to  benefit  themselves,  their  families,  and  their  communities.  However, 
what  the  polls  have  consistently  showed  is  that  consumers  fear  that  their  information  may  used  against 
them  for  discriminatory  purposes  by  their  employer,  potential  employer,  and/or  insurers.  Eliminating 
this  fear  of  discrimination  is  crucial  to  creating  trust  in  our  system  and  with  moving  forward  with 
electronic  health  information  exchange.  If  we  can  secure  data  and  create  trust  then  we  will  have  an 
easier  time  having  the  data  available  for  a  variety  of  important  population  health  needs  as  quality 
measurement,  public  health  surveillance,  biosurveillance,  and  health  research. 

There  are  legitimate  needs  for  employers  to  have  some  health  information  about  their  employees  or 
potential  employees,  just  as  there  are  a  few  reasons  why  some  insurers  need  some  health  information 
concerning  their  insured  or  potential  insured.  In  this  instance,  I  am  talking  about  access  to  information 
outside  of  the  claims  process.  We,  and  I  think  this  is  a  government  role,  need  to  define  the  misuse  of 
data  and  the  legitimate  reasons  for  why  an  employer  might  require  access  to  personal  health 
information  or  request  information  from  an  employee  or  potential  employee.  It  is  important  to  define 
what  constitutes  health  information  discrimination  versus  the  legitimate  needs  for  information.  Then, 
if  discrimination  exists,  it  should  be  punished. 

It  is  the  goverrmient's  role  to  establish  a  means  of  punishing  those  who  discriminate  or  misuse  data. 
Misuse  could  be  the  intentional  and  unwarranted  access  to,  use  of,  or  distribution  of  ah  individual's 
personal  health  information.  There  are  some  laws  on  the  books,  including  those  passed  by  Congress  in 
1997,  but  there  have  been  very  few  prosecutions.  If  the  public  begins  to  see  that  the  healthcare  industry 
and  government  are  active  in  this  area,  it  will  likely  create  a  greater  trust  in  the  system  by  showing  the 
public  that  misuse  of  data  has  serious  ramifications. 

Strong  "misuse  of  PHI  rules"  would  also  allow  the  industry  and  government  to  prosecute  the  intention 
breeches  of  information  that  we  have  seen  reported  in  the  media.  I  do  not  mean  to  suggest  that  all  of 
the  potential  breeches  are  intentional  or  result  in  a  loss  of  protection.  But  our  industry  does  need  to  be 
held  accountable  for  the  security  of  health  information  and  let  us  send  a  message  to  anyone  who 
desires  to  breech  the  confidentiality  of  healthcare  information  that  they  will  be  punished.  Let  the 
protection  follow  the  data  and  let's  punish  those  who  misuse  healthcare  data  or  discriminate  on  the 
basis  of  healthcare  data.  If  we  do  not,  consumers  will  not  have  trust  in  our  development  of  EHRs,  our 
establishment  of  EHI,  and  access  to  secondary  health  information  that  will  better  society. 

Student  Protecrions 

Another  important  area  of  consideration  is  protecting  the  healthcare  data  of  students.  Student 
healthcare  data  has  two  masters,  the  HIPAA  privacy  rule  and  FERPA.  Over  the  past  several  years,  the 
NCVHS  Subcommittee  on  Confidentiality  and  Privacy  has  held  several  hearings  that  have  highlighted 
the  problems  created  by  having  these  two  laws  overlap. 

Gone  is  the  day  when  the  school  nurse  took  your  temperature  and  put  you  on  a  cot  until  it  was  time  to 
go  home.  Today's  school  nurses  are  dealing  with  students  on  a  variety  of  drug  regimens,  some  even 
sporting  infusion  pumps.  Disease  outbreaks  require  that  school  districts  have  immunization  records. 
The  schools  and  their  nurses  should  not  have  to  beg  parents  and  family  physicians  for  records.  High 
school  coaches  need  to  have  a  clear  and  accurate  health  picture  of  the  players  on  their  teams  to  take 
precautions  against  the  child  with  a  heart  condition  collapsing  on  the  field.  It  is  a  difficult  balance. 
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Even  though  this  information  is  needed  to  protect  against  disaster,  it  should  not  be  available  to 
everyone  in  the  school  or  in  the  locker  room.  FERPA  was  not  designed  to  provide  the  protections  that 
Congress  and  the  states  have  seen  as  necessary  for  health  information. 

Administration  of  both  rules  becomes  even  more  difficult  for  schools  such  as  Vanderbilt.  The  rules 
reside  side-by-side.  Again,  we  owe  it  to  our  citizens  to  protect  the  confidentiality  of  their  health 
information.  We  suggest  that  the  Congress  look  at  the  testimony  and  recommendations  made  by  the 
NCVHS  with  regard  to  FERPA  and  HIPAA  issues  and  seek  to  extend,  at  a  minimum,  HIPAA 
protections  to  all  healthcare  data,  so  there  is  no  question  on  which  of  the  two  laws  prevails  when 
discussing  healthcare  data. 

Conclusion 

Currently  the  transformation  in  healthcare  is  occurring  at  a  pace  unheard  of  in  the  industry,  and  yet 
some  would  say  it  should  move  even  faster.  The  transformation  in  healthcare  is  not  just  converting 
healthcare  data  from  paper  to  electronic,  but  it  is  also  transforming  the  business  processes  and  uses  of 
information  required  in  such  a  metamorphosis.  In  addition  to  this  conversion  we  have  even  more 
consumer  involvement,  and  rightly  so,  calling  for  rigid  confidentiality  and  security  assurances  that  will 
protect  individuals  against  discrimination  and  the  misuse  of  their  healthcare  information.  That's  a  big 
order,  and  as  I  have  alluded  to  this  transformation  and  culture  changes  it  is  not  happening  overnight, 
but  rather  will  take  many  years.  In  the  meantime  we  now  find  ourselves  in  the  midst  of  change  and  in 
an  environment  that  is  neither  all  paper  nor  electronic.  We  also  find  ourselves  in  an  environment  never 
anticipated  by  a  myriad  of  existing  federal  and  state  laws  and  regulations  that  impact  our  abilities  to 
make  the  conversion  and  preserve  the  needed  confidentiality  and  security  practices  we  have  addressed 
this  afternoon. 

The  industry  is  in  a  major  transition  where  different  health  information  exchange  models  are  being 
discussed  for  a  multitude  of  environments.  While  we  might  desire  a  simple  answer  as  soon  as 
possible,  this  will  not  be  the  case.  Once  again,  we  must  suggest  that  the  healthcare  industry  and 
government  provide  protections  that  will  permit  a  variety  of  models  and  the  time  to  approach  more 
specific  rules  and  regulation.  As  we  move  forward  we  must  insure  that  personal  health  information  is 
protected  wherever  it  might  reside.  We  must  insure  that  individuals  are  protected  against  the  misuse  of 
their  health  information  for  discriminatory  and  other  nefarious  purposes.  And  finally,  we.must  insure 
that  individuals  continue  to  have  a  right  to  access  to  their  own  healthcare  information 

In  addition  to  our  efforts  to  make  laws,  regulations,  and  practices  standard,  there  is  similarly  a  need  to 
address  just  how  health  information  technology  impacts  concerns  for  privacy.  We  in  the  HIM 
profession  believe  that  new  information  technology  will  permit  even  better  security  and 
confidentiality,  if  the  principles  and  processes  surrounding  such  technology  are  applied  intelligently. 
But,  we  have  a  major  need  for  educating  and  an  understanding  of  EHRs,  PHRs,  information  exchange. 

History  has  shown  that  there  is  no  silver  bullet  that  will  solve  everything  but  while  goals  and 
objectives  and  even  principles  can  be  stated,  a  detailed  map  of  milestones  is  very  difficult  to  achieve  in 
our  system  of  government  and  under  our  healthcare  model.  I  can  assure  the  committee  that  many  are 
working  on  this  effort  and  our  goals  are  becoming  more  uniform  as  we  move  forward. 
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Over  the  years,  some  in  Congress  have  made  consistent  efforts  to  legislate  in  the  privacy  area.  It  has 
been  a  difficult  undertaking  to  say  the  least.  As  the  AHIC,  NCVHS  and  others  discuss  and  provide 
recommendations  in  the  privacy  and  security  area.  Congress  can  also  begin  to  look  at  some  very 
important  issues: 

•  The  need  to  insure  that  confidentiality  protections  follow  the  information  no  matter  where  it 
resides  or  is  transferred. 

•  Comprehensive  nondiscrimination  legislation  that  has  harsh  penalties  for  the  misuse  and  illegal 
requests  for  health  information. 

•  The  need  to  prosecute  those  who  break  the  law. 

•  The  need  to  penalize  those  entities  whose  confidentiality  and  security  processes  and 
technologies  do  not  comply  with  the  level  of  confidentiality  protection  required  by  law. 

•  The  need  to  eliminate  the  conflicts  between  HIPAA  v  FERPA. 

•  Conscientious  review  of  proposed  laws  to  identify  barriers  that  may  arise  that  would  impede 
deployment  of  health  information  technology  products,  expansion  of  health  information 
exchange,  and  critical  uses  of  health  information — as  for  quality  reporting,  biosurveil lance,  and 
public  health. 

Mr.  Chairman  and  members  of  the  subcommittee,  I  hope  that  my  testimony  has  given  you  an  insight 
into  the  aspects  of  healthcare  confidentiality  and  security  that  you  are  seeking  and  that  my 
recommendation  will  provide  you  with  guidance  as  you  address  the  many  thorny  questions  facing  our 
community.  I  stand  ready  to  answer  any  further  questions  or  concerns  you  might  have,  and  as 
president  of  AHIMA,  I  similarly  make  available  to  you  the  resources  of  our  staff  to  assist  in  any  way 
possible. 
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Statement  on  Health  Information  Confidentiality 
A  Joint  Position  Statement 
by 

American  Medical  Informatics  Association 
American  Health  Information  Management  Association 
July  2006 

The  American  Medical  Informatics  Association  (AMIA)  and  the  American  Health  Information 
Management  Association  (AHIMA)  have  a  long  history  of  working  to  protect  the  confidentiality  of 
individuals'  health  information  and  to  promote  fair  information  practices.  Public  confidence  that 
privacy  will  be  protected  and  that  identifiable  information  will  be  used  only  for  purposes  authorized  by 
the  individual,  or  otherwise  permitted  by  law  are  essential  to  ensuring  trust  in  a  nationwide  health 
information  network  (NHIN  that  facilitates  sharing  of  personal  health  information  (PHI).  As  the 
United  States  progresses  from  a  paper-based  system  of  health  records  to  an  electronic  environment, 
AMIA  and  AHIMA  believe  that  the  following  principles  should  be  incorporated  in  all  rules, 
regulations,  or  laws  pertaining  to  PHI. 

Any  organization  that  accesses  or  stores  PHI  should  abide  by  the  following  principles.  The 
organization  should: 

•  Inform  individuals,  through  clear  communications,  about  their  rights  and  obligations  and  the  laws 
and  regulations  governing  protection  and  use  of  PHI. 

•  Notify  indi\iduals  in  clear  language  about  the  organization's  privacy  practices  and  their  rights  in 
cases  of  breaches 

•  Provide  individuals  with  a  convenient,  affordable  mechanism  to  inspect,  copy,  or  amend  their 
identified  health  informatiorb'records 

•  Protect  the  confidentiality  of  PHI  to  the  fullest  extent  prescribed  under  HIP  AA,  regardless  of 
whether  the  organization  is  a  "covered  entity"  as  defined  in  HIPAA,  and  ensure  that  the 
organization  and  its  employees  all  comply  with  HIPAA,  state  laws,  and  the  policies  and  procedures 
put  in  place  to  protect  PHI. 

•  Use  PHI  only  for  legitimate  purposes  as  defined  under  HIPAA  or  applicable  laws. 

•  Prohibit  the  use  of  PHI  for  discriminatorv'  practices,  including  those  related  to  insurance  coverage 
or  employment  decisions 

•  Timely  notification  of  individuals  if  security  breaches  have  compromised  the  confidentiality  of 
their  personal  health  information. 

•  Work  with  appropriate  law  enforcement  to  prosecute  to  the  maximum  extent  allowable  by  law  any 
individual  or  organization  who  intentionally  misuses  PHI 

•  Continue  to  improve  processes,  procedures,  education,  and  technology  so  that  PHI  practices 
improve  over  time. 

Furthermore,  because  PHI  is  expected  to  flow  across  organizational  boundaries  through  the  NHIN,  it  is 
important  that  the  following  principles  covering  information  when  it  is  transferred  fi-om  one  entity  to 
another  also  apply: 

•  Health  information  privacy  protections  must  follow  PHI  no  matter  where  it  resides 
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•    Uniform  and  universal  protections  for  PHI  should  apply  across  all  jurisdictions  in  order  to  facilitate 
consistent  understanding  by  those  covered  by  such  laws  and  the  individuals  whose  health 
information  is  covered  by  such  laws. 

About  AS41A 

The  American  Medical  Informatics  Association  (AMIA)  is  an  organization  of 3,500  health  professionals  committed  to 
informatics  who  are  leaders  shaping  the  future  of  health  information  technology  and  its  application  in  the  United  States 
and  41  other  nations.  AMIA  is  dedicated  to  the  development  and  application  of  informatics  in  support  of  patient  care, 
teaching,  research,  and  health  care  administration  and  public  policy.  \s  wu  .am  ia.org 

About  AHIMA 

The  American  Health  Information  Management  Association  (AHIMA)  is  the  premier  association  of  health  information 
management  (HIM)  professionals.  AHIMA 's  50,000  members  are  dedicated  to  the  effective  management  of  personal  health 
information  needed  to  deliver  quality  health  care  to  the  public.  Founded  in  1928  to  improve  the  quality  of  medical  records, 
AHIMA  is  committed  to  advancing  the  HIM  profession  in  an  increasingly  electronic  and  global  environment  through 
leadership  in  advocacy,  education,  certi/ication,  and  lifelong  learning,  uuw.ahima.oii' 

7-31-2006 
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The  Value  of  Personal  Health  Records 
A  Joint  Position  Statement  for  Consumers  of  Health  Care 
by 

American  Health  Information  Management  Association 
American  Medical  Informatics  Association 
February  2007 

Position 

The  American  Health  Information  Management  Association  (AHIMA)  and  the  American  Medical 
Informatics  Association  (AMIA)  advocate  empowering  individuals  to  manage  their  healthcare  through 
the  use  of  a  personal  health  record  (PHR).  The  PHR  is  a  tool  for  collecting,  tracking  and  sharing 
important,  up-to-date  information  about  an  individual's  health  or  the  health  of  someone  in  their  care. 
Using  a  PHR  will  help  people  make  better  health  decisions  and  improves  quality  of  care  by  allowing 
them  to  access  and  use  information  needed  to  communicate  effectively  with  others  about  their 
healthcare. 

Basic  Principles 

•  Every  person  is  ultimately  responsible  for  making  decisions  about  his  or  her  health. 

•  Every  person  should  have  access  to  his  or  her  complete  health  information.  Ideally  it 
should  be  consolidated  in  a  comprehensive  record. 

•  Information  in  the  PHR  should  be  understandable  to  the  individual. 

■  Information  in  the  PHR  should  be  accurate,  reliable,  and  complete. 

■  Integration  of  PHRs  with  EHRs  of  providers  allows  data  and  secure  communication  to  be 
shared  between  a  consumer  and  his  or  her  health  care  team. 

■  Every  person  should  have  control  over  how  their  PHR  information  is  accessed,  used  and 
disclosed.  All  secondary  uses  of  PHR  data  must  be  disclosed  to  the  consumer,  with  an 
option  to  opt-out,  except  as  required  by  law. 

■  PHR  products  should  be  certified  by  CCHIT  to  comply  with  data  standards,  include  a 
minimum  data  set,  identify  each  data's  source,  and  meet  security  criteria  consistent  with 
HIPAA 

■  The  operator'  of  a  PHR  must  be  accountable  to  the  individual  for  unauthorized  use  or 
disclosure  of  personal  health  information.  The  consumers  should  be  notified  immediately 
of  breeches  in  security  that  could  lead  to  disclosure  of  personal  health  information. 

■  A  PHR  may  be  separate  from  and  does  not  normally  replace  the  legal  medical  record  of  any 
provider. 

■  Privacy  protection  of  PHR  data  should  follow  the  data.  PHR  data  must  not  be  used  in  any 
discriminator)'  practices. 


An  ■operator"  could  be  a  healthcare  provider,  health  plan,  commercial  supplier,  government  agency,  employer,  union,  fraternal  order, 
and  so  forth. 


14 


79 


AHIMA/AMIA  PHR  Position  Statement 
Page  2 

Questions  and  Answers 

Why  should  everyone  have  a  PHR?  We  believe  that  all  individuals  should  be  able  to  readily  access, 
understand,  and  use  their  personal  health  information.  A  PHR  allows  individuals  to  be  more  active 
partners  in  their  healthcare,  and  gives  them  up-to-date  information  when  and  where 
they  need  it.  A  PHR  provides  a  single,  detailed  and  comprehensive  profile  of  a  person's  health  status  and 
healthcare  activity.  It  facilitates  informed  decisions  about  the  care  of  the  individual.  It  may  also  reduce 
duplicate  procedures  or  processes  -  such  as  repeated  lab  tests  and  x-rays  -  saving  time  and  money.  A 
PHR  helps  people  prepare  for  appointments,  facilitates  care  in  emergency  situations,  and  helps  track 
health  changes. 

What  media  should  you  use  for  a  PHR?  We  encourage  individuals  to  begin  tracking  their  health 
information  in  whatever  format  works  best  for  them,  even  if  the  choice  is  paper.  We  recommend  that 
individuals  use  an  electronic  media  to  facilitate  a  timely,  accurate,  and  secure  exchange  of  information 
across  healthcare  institutions  and  providers.  PHR  information  should  always  be  stored  in  a  secure  manner 
just  as  you  would  store  other  confidential  personal  information  such  as  financial  information. 

How  can  an  individual  choose  a  PHR  supplier?  Individuals  can  create  their  own  PHR,  or  may  be 
offered  one  by  a  variety  of  sources,  such  as  a  healthcare  provider,  insurer,  employer  or  a  commercial 
supplier  of  PHRs.  Each  supplier  has  different  policies  and  practices  regarding  how  they  may  use  data 
they  store  for  the  individual.  Study  the  policies  and  procedures  carefully  to  make  sure  you  understand 
how  your  personal  health  information  will  be  used  and  protected.  Policies  to  look  for  include  privacy  and 
security;  the  ability  of  the  individual,  or  those  they  authorize,  to  access  their  information;  and  control  over 
accessibility  by  others.  If  the  PHR  contains  the  same  information  that  the  doctor  has  seen,  it  has  more 
usefulness  for  tracking  purposes  than  information  from  insurance  forms.  For  example,  insurance  claims 
information  may  list  the  diagnosis  or  medication  but  not  the  details  (for  example,  actual  blood  pressure 
reading  or  dose  of  the  medication  taken). 

What  should  a  PHR  contain?  Broader  than  a  medical  record,  the  PHR  should  contain  any  information 
relevant  to  an  individual's  health.  In  addition  to  medical  information  such  as  test  results  and  treatments,  a 
PHR  may  include  diet  and  exercise  logs  or  a  list  of  over-the-counter  medications.  A  PHR  should  contain 
the  following  information: 

■  Personal  identification,  including  name  and  birth  date 

■  People  to  contact  in  case  of  emergency 

■  Names,  addresses,  and  phone  numbers  of  your  physicians,  dentists,  and  specialists 

■  Health  insurance  information 

■  Living  wills,  advance  directives,  or  medical  power  of  attorney 

■  Organ  donor  authorization 

•  A  list  and  dates  of  significant  illnesses  and  surgical  procedures 

•  Current  medications  and  dosages 

■  Immunizations  and  their  dates 

■  Allergies  or  sensitivities  to  drugs  or  materials,  such  as  latex 

■  Important  events,  dates,  and  hereditary  conditions  in  your  family  history 

■  Results  from  a  recent  physical  examination 

•  Opinions  of  specialists 

■  Important  tests  results;  eye  and  dental  records 

•  Correspondence  between  an  individual  and  his  or  her  provider(s) 

•  Current  educational  materials  (or  appropriate  web  links)  relating  to  one's  health 
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Where  individuals  should  begin:  A  good  place  to  begin  is  with  a  visit  to  vvww .my PHR.com  (a  site 
provided  as  a  free  public  service  by  AHIMA)  for  further  information  on  creating  and  managing  a  PHR. 
We  suggest  that  people  find  out  if  their  healthcare  providers,  employer,  insurers,  or  another  individual  or 
organization  offers  a  PHR.  If  an  individual  needs  to  obtain  copies  of  medical  records  themselves,  they 
can  contact  doctors'  ofTices  or  each  facility  where  they  have  received  treatment. 

Each  person  can  create  a  PHR  at  his  or  her  own  pace,  perhaps  starting  with  the  next  medical  visiL  The 
important  thing  is  to  get  started. 

Note:  Because  the  use  of  personal  health  records  is  an  issue  of  importance  to  both  organizations,  AHIMA  and  AMI  A 
collaborated  on  the  development  of  this  joint  position  statement. 

About  AH f MA 

The  American  Health  Information  Management  Association  (AHIMA)  is  (he  premier  association  of  health  information 
management  (HIM)  professionals.  AHIMA 's  50.000  members  are  dedicated  to  the  effective  management  of personal  health 
information  needed  to  deliver  quality  health  care  to  the  public.  Founded  in  1928  to  improve  the  quality  of  medical  records, 
AHIMA  is  committed  to  advancing  the  HIM  profession  in  an  increasingly  electronic  and  global  environment  through 
leadership  in  advocacy,  education,  certification,  and  lifelong  learning,  uwu  ahiiTia.orn 

About  AMIA 

The  American  Medical  Informatics  Association  (AMIA)  is  an  organization  of 3,500  health  professionals  committed  to 
informatics  who  are  leaders  shaping  the  future  of  health  information  technology  and  its  application  in  the  United  States  and  41 
other  nations.  AMIA  is  dedicated  to  the  development  and  application  of  informatics  in  support  of patient  care,  teaching, 
research,  and  health  care  administration  and  public  policy,  wuw.amia.oru 

2-1-2007 
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Foundation  of  Research  and  Education/AHIMA  Sponsored  Programs,  Research  Contracts  and  Grants* 

 January  1.  2006  to  April  23,  2007   

A.  Active  Projects  2007;  B.  Proposals  Pending  2007;  C.  Projects  Funded  and  Completed  2006  and  2007;  D.  Proposals 
without  Funding,  Rejected,  or  on  Hold  for  Ottier  Reasons 


A.  Active  Projects  2007 


Federal  Contract 

ONC— State  Level  Health 

Office  of  the  National 

Primary 

Information  Exchange  Consensus 

Coordinator  (ONC) 

Staff 

Project 

Involvement: 

Sue  Florio, 

Alefa  Harris, 

Linda  Kloss. 

Eileen 

Murray, 

Carol 

Nielsen, 

Theresa 

Reynolds 

(FORE)  on  emerging  best  practices  and  guidance  for  state  level  health  information  exchange  initiatives  (H)Es).  These 
organizations  are  evolving  very  rapidly  and  the  lessons  learned  must  be  documented,  studied,  and  made  available  to  ail  state 
level  entities  and  other  interested  stakeholders.  This  contract  will  produce  research-based  technical  work  products  to  expand 
the  body  of  knowledge  of  emerging  best  practices.  It  is  expected  that  these  will  help  not  only  state  level  HIE  initiatives,  but  also 
regional  health  information  exchange  initiatives,  state  govemmental  e-Health  programs  and  others  who  are  working  to  advance 
care  transformation  through  health  information.  


Value  of  Total  Contract:  $793,785.00 


Federal  Professional  Sen/ices  Contract 

#200-2006-M-18081:  Training  for 

CDC:  National 

Primary 

Coders  for  Morbidity  and  Mortality: 

Center  for  Health 

Staff 

ICD-10  Curricula 

Statistics 

Involvement: 

Kathy 

Gtannangelo 

This  project  involves  implementing,  piloting,  and  evaluating  the  first  phase  of  the  International  Training  and  Certification  Program 
for  ICD-10  Mortality  and  Morbidity  Coders.  The  purpose  of  the  project  is  to  expand  on  the  work  already  accomplished  by  the 
Joint  Collaboration  to  pilot  the  processes  for  testing  and  certification  of  practicing  ICD  coders  and  newly  trained  coders  and  for 
the  recognition  of  ICD  trainers  and  educators  and  to  evaluate  the  strengths  and  weaknesses  of  the  processes.  The  project  also 
will  perform  outreach  to  coders  and  trainers  in  order  to  inform  them  of  the  availability  and  benefits  of  the  international  program. 


Value  of  Total  Contract:  $20,000 


Subcontract  from  RTI  for  Professional  Services 
Funding  Primary  Source  is  AHRQ 

Contract  to  Develop  Model  Anti- 
Fraud  Requirements  for  Electronic 
Health  Records 

HHS/AHRQ 

Primary  Staff 
Involvement:  Michelle 
Dougherty,  Don  Mon, 
Harry  Rhodes 

The  RTI  research  team  has  previous  experience  identifying  fraudulent  or  othenwise  suspicious  activity  in  large  datasets  and 
recommends  an  iterative  two-pronged  approach  for  this  task,  which  includes  the  use  of  scoring  algorithms  and  anomaly 
detection.  Known  patterns  of  fraudulent  behavior  can  be  characterized  and  modeled  using  supen/ised  learning  or  rule  induction 
models.  The  resulting  scoring  algorithms  can  be  used  to  saeen  transactions  for  potentially  fraudulent  or  otherwise  suspicious 
activity.  Unsupen^sed  learning  strategies,  on  the  other  hand,  can  be  used  to  identify  unusual  or  anomalous  activity  worthy  of 
additional  review  and  follow-up.  Fraudulent  behavior  identified  through  the  use  of  anomaly  detection  can  then  be  modeled  and 
added  to  the  array  of  scoring  algorithms  used  to  screen  additional  data  for  patterns  suggestive  of  fraud  or  other  suspicious 
activity. 


Value  of  Total  Contract:  $115,326.00 


Contract 

Center  for  Aging  Sen/ices 

Center  for 

Primary  Staff  Involvement: 

Technology:  Development 

Aging 

Jill  Burrington-Brown,  Rita 

of  a  Framewori^  for 

Services 

Scichilone 

Continuity  of  Care 

Technology— 

Document  (CCD) 

a  program  of 

Functional  Status  and 

the  American 

Wellness  Content 

Association  of 
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I 

1  RE  !D  #:  35501 

Homes  and 
Services  for 
the  Aging 

1 

AHiMA  vviit  assist  in  the  esJabSishment  of  stakeholder  worK  groups  to  advance  health  information  technoiogy  and  terminology- 
standards  related  to  functional  status  assessrrjent  and  advocacy  for  electronic  health  record  use  for  wellness  measurement  ai 
constimer  ernpowerment  through  the  use  of  personal  health  records.  


Value  of  Total  Contract;  $54,600.00 


Sen/ic«  Contract 


9-CM  Map 
Validation 
Process  - 
Phase  H 


National 
Library  of 
Medjdne 


Primary  Staff 
involvement: 
Jill  Bonnart. 
Susan  Fentcn. 
Katriy 

Giannangelo, 
Karen  Kostick, 
Rita  Scichiione 


Note:  this  project  is  funded  but  the  actual  task  is  still  in  the  proposal  phase.  This  is  a  draft  of  the  tasks  Stat  were  submitted. 
The  goai  of  this  phase  of  the  map  validation  project  is  to  produce  small  sufesets  of  the  SN0MED;iCD-9-CM  reimbursement  use 
case  map  in  a  timely  fashion  for  testing  and  use  by  the  industr/.  Given  that  this  is  a  rsimburse.Ttent  use  case  map;  this  phase 
will  focus  on  the  most  frequent  conditions  and  diagnoses  as  detenrsiried  by  the  National  Center  for  HealBi  StatisScs  via  their 
National  Hospital  Discharge  Data  Set  and  National  Ambuiatoiy  Care  Data  Sal,  U  is  thought  that  these  wit  be  mors 
representative  of  diagnoses  submitted  to     payors  rather  than  utiiizing  CMS  data  which,  of  course,  is  iimited  to  CMS  claims. 


Value  of  Total  Contract:  $13,999.62  can-ied  over  from  the  base  year  plus  S50,000  from  Option  Year  l  -grand  total  of  $63,999.62 
for  use  in  Option  Year  2,  


Federal  Grant 


■AHRQ— A.mbLtiatcry  Safety  and 
Quality:  Enablmg  Patient-Centered 
Care  through  Health  ST:  Effects  of 
Patient-Centric  Care  Management 
Technotogy:  A  Randomized  Trial 


HHS;  AHRO 
RFA-HS-07-G07 


FORE 

Subcontract: 
Jiii 

Burring  ton- 
Brown, 
Susan 
Fenton, 
Carol 
Nielsen 


Letter  of  Intent:  January  19,  2007;  Proposai  February'  15         Prime:  Univ.  of  Centrai  Florida,  Dr.  Thomas  Wan.  PI 
The  proposed  research  focuses  on  a  demonstration  of  patient-centric  care  technology  to  improve  medication  management, 
utiii^ng  tfie  PHR  as  a  facilitator  for  improved  patient-provider  communication.  The  patient-centric  care  technoiogy  demonstration 
project  will  assess  and  address  the  use  of  PHR  health  Information  Technoiogy  QT)  as  a  facilitator  for  improving  ambulatory 
patient  safety  and  qual!t>',  identify  the  systemic  barriers  to  h-eaith  iT  adoption  for  older,  minority  and  underserved  populations, 
improving  patient  health  outcomes  and  asses  patient-clinician  satisfaction.  Additionally,  the  PHR  is  a  vehicle  for  developing  a 
process  for  obtaining  and  documenting  a  com,plete  list  of  cun^nt  patient  medications  at  each  office  visit,  reducing  medication 
errors  by  deescalating  Adverse  Drug  Events  (ADE)  and  Sentinel  Events(SE)  from  medications,  improving  perceptions  of  patient- 
clinidan  communication,  and  measuring  healthcare  outcomes,  specifically  inappropriate  use  of  healthcare  resources. 


Totals 


Yr.  1  $50,  745.00     j  Yr.  2  Yrs  3 
 i  $19.221  00  !  $24.743  00 


Total  Direct  &  IDC 
over  3  years  


Federal  Grant 


■AHRQ — Ambuiaiorv  Safety  and 
QualitH-  Enabling  Patieiu-Centered 
Care  through  Health  IT: 
Performance  Mea.-;ure  \  sriaiion: 
Data  ElcmcTiis.  Callvvtioa  arvd 


RFA-HS-07-0C2 


Susan 

Fenton, 

Crystal 

Kallem, 

Eileen 

Murray, 

Carol 

Nielsen 


Letter  of  intent  January  19, 2007 


SubiTiSisc^     Anticipated  Star  Date: 
July,  2007 

2/14,/20G7 


Prime:  Dr. 
Jennifer 
Garvin,  VA 
Philadelphia 


Consultation 
OR  key 
questions 
concerning  the 


.anguage  and 
~omputing 


Primary  Staff  Involvement:  Rita 
Scichiione 


IS 
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E&M  rutas  and 

review  of 

possible 

interpretations. 

Language  and  Computing  {L&C)  is  building  a  coding  for  biiiing  NLP  application  that  initialiy  focuses  on  E&M  coding  As  part  of 
the  process.  L&C  must  ensure  that  it  follows  applicable  rules  according  to  widely  accepted  interpretations.  Interpretation  of  rules 
is  a  major  variable  for  two  reasons,  First,  the  oiles  published  by  the  payors,  including  Medicare,  are  extremely  irnpfedse. 


Second,  there  are  intermediates  in  the  payment  process  called  "carriers  '  for  each  region  of  the  country  that  are  responsible  for 
imptenTsntation.  These  "carriers"  are  able  to  ap^ly  their  ov/n  interpretations  of  the  rules.  The  best  recourse  for  a  vendor  in  our 
situation  is  to  develop  a  consulting  relationship  with  an  organization  that  has  broad  knowledge  of  the  issues  raised  by 
interpretation  of  rules,  AHiMA  is  the  organization  in  (he  best  position  to  help  L&C  in  this  manner.  Staying  abreast  of  coding 
issues  is  one  of  the  roles  they  play  for  the  provider  community.  !t  is  a  respected  organization  by  both  providers  and  payors. 
Ultimately,  AHIMA  will  be  involved  in  an  independent  evaluation  of  our  tools.  Thus,  they  are  an  ideal  source  for  consulting  about 
interpretation  of  coding  for  billing  rules.  _____„__  

Value  of  Total  Contract:  S96Q0  depending  upon  number  of  hours  billed  


Federal  Grant 

AHRQ  Small 

HHS:  AHRQ 

Primary  Staff 

Conference  Grant 

Involvement: 

Program:  Solutions 

Susan 

to  Accelerate 

Fenton,  Kathy 

SNOWED  CT® 

Giannangeio 

implementation  in 

Electronic  Healtti 

Record  Systems 

The  Foundation  of  Research  and  Education  (FORE)  of  the  American  Health  Information  Management  Association  (AHIMA)  will 
hold  a  cross  industry  national  conference  to  identify  solutions  to  expand  and  accelerate  the  adoption  and  implementation  of 
SNOMED  Cr'^  in  Electronic  Health  Record  (EHR)  systems.  This  conference  will  convene  approximately  125  representatives 
from  various  stakeholder  organizations  who  can  determine  the  enablers  and  barriers  to  adoption  and  use  of  SNOMED  CT  in  the 
short  and  long  term.  The  participants  will  describe  the  business  case  for  a  reference  terminology  and  develop  recommendations 
for  an  integrated  strategy  for  the  use  of  the  SNOMED  CT  data  standard.  Participants  wti!  contribute  to  the  development  of  a 
white  paper  and  other  supporting  doaimentation  that  will  describe  a  nationwide  strategy  for  aligning  vendor  and  end  user 

SNOMED  CT  implementation  efforts  so  they  converge  and  can  serve  as  a  foundation  for  health  infonmation  exchange.  

Value  of  Total  Grant  Application:  546,182.59 


Federal  Contract 

HHSP23320064105 
EC:  RHtO  Develop 
Consensus  Best 
Practices  for  State 
Level  Regional  Health 
Information 
Organizations — Initial 
Contract 

.March  to  August.  2006 

Office  of  the  National 
Coordinator  (ONC) 

Primary  Staff 
Involvement: 
Linda  Kloss,  Don 
Mon,  Eileen  Murray, 
Harry  Rhodes 

The  purpose  of  the  project  was  to  gather  information  from  existing  state-level  RHlOs  to  determine  successful  governance,  legal, 
financaai  and  operational  characteristics,  to  develop  consensus  on  guidance  for  developing  state-level  HIE  initiatives,  and  to 
widely  disseminate  these  findings.  The  research  was  guided  by  a  Steering  Comimittee  of  leaders  from  the  state  level  RHIOs 


that  were  studied  and  a  panel  of  national  experts  who  served  as  Technical  Advisors.  They  identifted  these  three  targeted  areas, 
the  interaction  with  federal  activities,  financial  sustainability  through  HIE.  and  the  role  of  payers,  as  cntical  areas  for  further 
inquiry. 


Value  of  Total  Contract:  $489.745.00 


Subcontract  from  Research  Triangle  Institute — 

Privacy  and  Security 

HHSv'AHRQ 

Primary  Staff 

Federal  Flow-Through 

Solutions  for 

Involvement: 

Interoperable  Health 

Susan  Fenton, 

Information  Exchange 

Don  Mon,  Harry 

Rhodes 

The  American  Health  Information  Management  Association  (AHIMA)  developed  an  assessment  tool  evaluating  perceived 
barriers  in  state  laws  and  business  practices  that  pose  interoperability  challenges  and  hinder  the  free  flow  of  information  among 
all  stakeholders  involved  in  interoperable  health  information  exchange  and  identify  "best"  practices  for  overcoming 
interoperability  barriers. 


19 


84 


Value  of  Total  Contract:  $63,345.00 


Subcontract 

National  Conference  On  Health 

AHRQ 

Primary 

Care  Data  Collection  and 

Staff 

Reporting 

Involvement: 

Crystal 

Kallem,  Don 

Mon,  Alison 

Viola 

The  Foundation  of  Researdi  and  Education  (FORE)  of  ttie  American  Health  Information  Management  Association  {AHIMA)  and 
the  Medical  Group  Management  Association  Center  for  Research  (MGMA  CFR)  have  partnered  with  the  Agency  for  Healthcare 
Reseanzti  and  Quality  to  conduct  a  national  conference  on  heath  care  data  collection  and  reporting.  This  invitational  conference 
will  convene  approximately  50  persons  from  various  stakeholder  organizations  that  can  contribute  to  the  development  of  a  set  of 
recommendations  for  effectively  coordinating  various  performance  measurement  initiatives  to  maximize  value  and  minimize  data 
collection  burden  and  expense  for  health  care  providers.  Participants  will  contribute  to  the  development  of  multiple  articles  and 
papers  that  will  describe  a  national  strategy  for  developing  standard  mettiodologies  in  health  care  performance  measurement, 
data  collection  and  reporting. 


Value  of  Total  Contract:  $21 ,525.00 


Federal  Contract 

HHSP23320064105  EC:  RHIO 

Develop  Consensus  Best 

Office  of  the  National 

Primary 

Practices  for  Slate  Level  Regional 

Coordinator  (ONC) 

Staff 

Health  Information 

Involvement: 

Organizations — Second  Extension 

Crystal 

Kallem, 

Linda  Kloss, 

Don  Mon, 

Eileen 

Murray, 

Harry 

Rhodes 

This  project  will  study  three  specific  aspects  of  the  operation  of  state-level  Regional  Health  Information  Organizations  (RHIOs): 
their  interaction  with  federal  activities  for  health  care  and  information  technology,  health  infomiation  exchange  (HIE)  projects  that 
have  achieved  finandai  sustainabtlity  and  the  role  of  public  payers  on  state-level  HIE.  


Federal  Contract 

HHSP23320064105  EC:  RHIO 

Office  of  the  National 

Primary 

Develop  Consensus  Best 

Coordinator  (ONC) 

Staff 

Practices  for  State  Level  Regional 

Involvement; 

Health  Information 

Linda  Kloss, 

Organizations— Third  Extension 

Eileen 
Murray 

The  purpose  of  this  contract  extension  is  to  establish  and  support  a  dynamic  process  for  continuing  to  build  the  body  of  knowledge 
about  the  best  practices  of  state-level  health  information  exchange  (HIE)  initiatives. 


This  contract  extension  will  put  in  place  the  structure  and  processes  to  study  and  document  best  industry  practices  as  they 
continue  to  evolve  in  these  and  other  organizations.  In  this  way,  the  Workbook  and  related  resource  materials  will  be  a  dynamic 
reflection  of  dynamic  organizations.  The  specific  goals  are  as  follows: 

•  Track  the  evolving  practices  of  selected  HIE  organizations  in  the  areas  of  governance,  financing,  health  information 
exchange,  and  technology  and  incorporate  these  into  an  up  to  date  Workbook. 

•  Host  quarteriy  roundtables  to  seek  input  to  strategic  issues  that  reflect  barriers  or  opportunities,  changing  market 
conditions,  or  new  lessons  learned  and  prepare  reports  of  these  deliberations. 

•  Capture  characteristics  and  competencies  cf  the  evolving  models  for  state-level  HIEs 

•  Ensure  that  findings  are  communicated  to  ad  interested  state-level  HIE  organizations  and  are  available  through  the 
AHRQ  HIT  Resource  Center,  to  the  NGA  State  Alliance  for  e-Heaith.  the  National  Conference  of  State  Legislatures  and 
to  other  public  domain  resource  centers  working  to  advance  health  IT. 

•  Serve  as  a  point  of  contact  to  represent  the  state-level  HIE  perspective 
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Value  of  Total  Contract:  $139.958.63 
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Mr.  Clay.  Thank  you  so  much,  Mr.  Pickard. 
Mr.  Swire,  of  the  Ohio  State  University. 

STATEMENT  OF  PETER  SWIRE 

Mr.  Swire.  The  Ohio  State  University,  home  of  the  Buckeyes. 
Yes,  sir. 
Mr.  Clay.  Yes,  sir. 

Mr.  Swire.  Mr.  Chairman,  members  of  the  subcommittee,  thank 
you  very  much  for  the  invitation  to  testify  here  today  on  privacy 
and  security  of  electronic  health  records. 

Today  fewer  than  10  percent  of  our  clinical  records  in  the  country 
are  accessible  in  electronic  form,  and  all  of  us  hope  that  number 
climbs  sharply  in  the  next  decade. 

My  colleague  at  the  Center  for  American  Progress,  Karen  Dav- 
enport, has  recently  released  a  new  report  about  health  IT  and  the 
quality  improvements,  and,  Mr.  Chairman,  I  ask  if  that  could  be 
submitted  to  the  record  for  this  hearing. 

Mr.  Clay.  Yes,  please. 

Mr.  Swire.  Thank  you. 

To  make  this  shift  to  the  NHIN,  the  National  Health  Information 
Network,  we  need  to  get  privacy  and  security  right.  Public  surveys 
repeatedly  showed  that  these  privacy  concerns  are  top  of  mind 
when  it  comes  to  the  shift  to  electronic  health  records.  Unless 
Americans  are  convinced  that  effective  safeguards  are  in  place, 
many  of  the  benefits  of  this  NHIN  may  be  delayed  or  lost  entirely. 

My  written  statement  addresses  various  issues,  but  I  would  high- 
light two  things  in  the  testimony  today:  preemption  and  enforce- 
ment. 

On  preemption,  my  theme  is  that  the  wrong  sort  of  preemption 
would  actually  repeal  many  existing  privacy  and  security  safe- 
guards. On  enforcement,  the  current  no  enforcement  system  is  not 
a  sound  basis  for  going  forward  with  electronic  health  records. 

Briefly,  my  background  before  returning  to  law  teaching,  I  served 
as  chief  counselor  for  privacy  in  the  U.S.  Office  of  Management  and 
Budget  in  1999  and  2000,  and  in  that  role  I  was  the  \^ite  House 
coordinator  for  the  HIPAA  privacy  rule.  This  has  lost  me  many 
friends  in  the  medical  community. 

During  that  time  we  had  over  50,000  public  comments  on  the 
proposed  rule,  and  I  co-chaired  the  process  to  look  at  those,  try  to 
respond  to  them,  and  come  up  with  a  final  rule  by  the  end  of  2000, 
and  I  have  worked  in  this  area  since.  So  it  is  based  on  that  I  try 
to  offer  some  observations  today. 

On  preemption,  my  first  theme  is  that  simple  preemption  of 
State  laws  going  to  HIPAA  alone  would  repeal  many  existing  pri- 
vacy protections. 

In  many  States  we  have  protections  for  things  like  HIV  records, 
mental  health,  substance  abuse,  reproductive  records.  Public 
Health  Agency  records,  genetic  records,  and  if  we  simply  say  let's 
do  HIPAA,  then  that  means  that  all  of  the  State  protections  would 
be  repealed. 

In  Ms.  Grealy's  testimony,  they  feature  Indiana  as  a  State  to 
look  to.  Indiana  has  the  fewest  State  safeguards,  and  so  harmoniz- 
ing on  that  level  would  be  a  drop  in  privacy  protection,  and  we 
should  be  careful  about  doing  that. 
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On  enforcement,  I  have  serious  concerns  about  the  lack  of  en- 
forcement from  HHS.  This  is  an  oversight  issue.  This  creates  an 
obstacle  to  going  forward  with  electronic  health  records.  If  no  en- 
forcements are  brought  under  the  current  system  so  far  under 
HIPAA,  why  should  the  public  trust  we  are  going  to  have  good  en- 
forcement for  the  next  generation? 

Let  me  emphasize  my  criticism  here  goes  to  law  and  policy  and 
not  to  the  good  faith  or  the  intelligence  or  hard  work  of  people  at 
HHS,  but  there  are  some  legal  problems  the  Congress  may  need  to 
address. 

There  are  three  principal  problems  in  enforcement: 

First,  the  batting  average  for  HHS  is  pretty  low.  There  has  been 
27,000  complaints  and  zero  civil  or  monetary  penalties,  so  over 
27,000.  That  doesn't  create  a  lot  of  confidence. 

Second,  the  current  administration  has  adopted  the  policy  of  one 
free  violation.  In  an  enforcement  rule  last  year,  HHS  said  that  the 
first  violation  simply  won't  lead  to  a  penalty;  instead,  it  will  lead 
to  a  planned  correct  going  forward.  This  sends  the  signal  that  med- 
ical privacy  shouldn't  be  taken  seriously.  If  you  are  a  covered  en- 
tity, just  wait  until  they  come  the  first  time  and  then  you  can  fix 
it,  but  you  don't  face  any  exposure. 

Third,  the  Department  of  Justice  has  dropped  the  ball  on  crimi- 
nal prosecution.  Justice  has  received  almost  400  referrals  from 
HHS  and  has  brought  zero  cases  under  those  400  referrals.  These 
are  the  most  serious  cases,  and  the  problem  is  that,  once  it  goes 
to  DO  J,  under  current  policy  HHS  stops  all  proceedings,  so  the 
most  serious  cases  HHS  doesn't  do  it  and  DOJ  doesn't  do  it. 

This  lack  of  enforcement  has  been  the  subject  of  major  stories  in 
the  Wall  Street  Journal  and  the  Washington  Post.  One  expert  was 
quoted  in  the  post  saying,  "HHS  really  isn't  doing  anything,  so  why 
should  I  worry?" 

The  lack  of  HIPAA  enforcement  will  make  it  harder  to  build  the 
next  generation  of  electronic  health  records.  Critics  will  be  on 
strong  and  legitimate  ground  saying  they  can't  trust  the  current 
system,  much  less  the  higher  level  of  trust  we  would  want  to  have 
if  we  go  to  the  all-electronic  NHIN. 

In  my  testimony  I  point  out  that  we  can  respond  to  these  prob- 
lems perhaps  by  HHS  changes  or  by  targeted  legislation.  Here  are 
three  things  to  consider,  and  then  I  will  close:  first,  HHS  can  end 
the  one  free  violation  part  of  the  enforcement  reg;  second,  we 
should  end  the  current  interpretation  where  HHS  stops  its  own  en- 
forcement efforts  in  the  most  serious  cases  whenever  there  is  a 
criminal  referral  to  DOJ;  and,  third,  a  mistaken  Department  of 
Justice  legal  opinion  that  narrowed  the  criminal  provisions  of 
HIPAA  should  be  revisited.  They  really  take  the  position  that  only 
the  hospital  that  intentionally  violates  the  law  and  not  any  of  the 
individuals  who  break  the  law  can  be  enforced. 

That  concludes  my  comments.  I  welcome  any  questions  you  may 
have. 

[The  prepared  statement  of  Mr.  Swire  follows:] 
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Mr.  Chairman,  Mr.  Ranking  Member,  members  of  the  Committee: 

Thank  you  for  your  invitation  to  testify  today  on  the  privacy  and  security  of  electronic  health 
records.  Our  medical  system  is  now  striving  to  move  toward  what  is  often  called  the  National 
Health  Information  Network.  Today,  less  than  1 0  percent  of  our  clinical  records  are  accessible  in 
electronic  form.  All  of  us  hope  that  that  number  climbs  sharply  in  the  next  decade.  As  my 
colleague  Karen  Davenport  has  stressed  in  a  new  report,  improved  health  information  technology 
is  essential  to  improving  the  quality  of  our  nation's  health  care.' 

To  make  the  shift  to  the  NHIN,  we  need  to  get  privacy  and  security  right.  Public  surveys 
repeatedly  show  that  privacy  and  security  concerns  are  top-of-mind  when  it  comes  to  the  shift  to 
electronic  health  records.  Unless  Americans  are  convinced  that  effective  safeguards  are  in  place, 
then  many  of  the  benefits  of  the  NHIN  may  be  delayed  or  lost  entirely. 

My  testimony  today  highlights  two  key  issues — preemption  and  enforcement. 

First,  preemption  of  state  laws  would  effectively  repeal  many  existing  privacy  and  security 
protections.  There  is  a  national  baseline  of  protection  under  the  Health  Insurance  Portability  and 
Accountability  Act  of  1996.  The  HIPAA  privacy  and  security  rules,  on  which  I  worked 
extensively,  offer  essential  safeguards  for  patient  records.  They  are  incomplete,  however.  It  is  the 
states  that  provide  the  current  protections  for  sensitive  records  such  as  mental  health,  HIV, 
genetic  information,  and  other  key  categories  of  records.  The  NHIN  should  be  an  occasion  for 
strengthening  safeguards,  and  not  repealing  numerous  safeguards  in  the  name  of  federal 
preemption. 

Second,  the  current  "no-enforcement*'  system  is  not  a  credible  basis  for  EHRs  and  the 
NHIN.  HHS  has  received  over  27,000  HIPAA  privacy  complaints  but  has  yet  to  bring  its  first 
case  for  civil  monetary  penalties.  HHS  has  needlessly  adopted  a  "one  free  violation '  policy, 
guaranteeing  covered  entities  that  they  can  violate  the  law  the  first  time  without  financial 
punishment.  And  the  Department  of  Justice  has  interpreted  the  HIPAA  criminal  provisions  in 
misguided  and  narrow  ways.  As  explained  belov/,  each  of  these  problems  can  and  should  be 
fixed  through  targeted  legislation  or  regulatory  change. 

Background 

I  am  the  C.  William  O'Neill  Professor  of  Law  at  the  Moritz  College  of  Law  of  the  Ohio  State 
University,  and  a  Senior  Fellow  at  the  Center  for  American  Progress.  I  live  in  the  Washington, 
D.C.  area. 

From  1999  until  early  2001  I  served  as  the  Chief  Counselor  for  Privacy  in  the  U.S.  Office  of 
Management  and  Budget.  My  biggest  single  project  in  that  role  was  acting  as  the  White  House 
coordinator  for  the  HIPAA  medical  privacy  rule.  Working  with  HHS,  we  aimounced  the 


'  Karen  Davenport,  "Navigating  American  Health  Care:  How  Information  Technology  Can  Foster  Health  Care 
Improvement,"  Center  for  American  Progress,  May,  2007,  available  ai 
hup:  uu  w  .iiinoiicanprouicss.orii  issues  2007  06  liL-;iilh  II  ivporl.lUnil. 
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proposed  rule  in  October  1999.  There  were  over  52,000  public  comments  on  the  proposed  rule. 
The  final  rule,  including  responses  to  all  of  those  comments,  was  released  in  December  2000. 
Shortly  thereafter,  I  returned  to  my  law  teaching  position.  In  2002,  HHS  armounced 
modifications  to  the  medical  privacy  rule.  The  rule  went  into  full  effect  in  April,  2003. 

Smce  leaving  government  at  the  beginning  of  2001, 1  have  worked  extensively  on  medical 
privacy  and  security  issues.  My  CV  details  my  writings  and  speeches  on  these  issues.  From  2004 
until  2006  I  was  a  member  of  the  Markle  Foundation's  Connecting  for  Health  Task  Force. 
Connecting  for  Health's  Common  Framework  is  an  outstanding  set  of  materials  about  how  to 
create  private  and  secure  health  information  exchange.  For  detailed  discussion  of  security  and 
privacy  issues,  I  commend  those  papers  to  the  committee's  attention. 

Since  2001,  in  compliance  with  my  university's  limits  on  outside  consulting,  I  have  also  worked 
on  medical  privacy  and  security  issues  for  private-sector  clients,  as  a  consultant  to  the  law  firm 
of  Morrison  &  Foerster,  LLP.  This  work  with  an  array  of  clients  has  given  me  hands-on 
experience  in  what  it  is  like  to  comply  with  the  privacy  and  security  rules.  None  of  these  clients 
has  paid  me  in  connection  with  the  testimony  today,  and  the  views  expressed  here  are  entirely 
my  own. 

Preemption  of  State  Laws  Would  Effectively  Repeal  Many  Existing  Privacy  and  Security 
Protections 

My  first  theme  today  is  that  simple  preemption  of  state  laws  would  effectively  repeal  many 
existing  privacy  and  security  protections. 

To  understand  the  preemption  issue,  it  is  useful  to  start  with  the  case  in  favor  of  preemption 
made  by  in  industry.  This  view  starts  with  a  correct  factual  premise — the  benefits  of  sharing 
electronic  clinical  data  are  high.  As  Newt  Gingrich  has  often  said,  "Paper  kills."  We  need  to 
move  to  a  more  networked  version  of  health  care.  The  shift  to  electronic  records  has  occurred  in 
banking,  travel,  and  most  other  sectors,  and  it  is  inevitable  and  desirable  for  it  to  occur  for 
clinical  health  records. 

On  all  of  this  I  agree.  The  next  part  of  the  pro-preemption  position  asserts  that  we  can  only  have 
a  national  health  information  network  if  we  have  a  national  set  of  rules.  HIPAA  forms  that 
national  baseline,  and  so  we  should  harmonize  on  the  HIPAA  standard.  In  short,  goes  this 
argument,  preemption  is  essential  to  a  national  network — it's  a  "no-brainer." 

Although  I  sympathize  with  the  system  designers  who  struggle  v^th  diverse  state  laws,  the 
effects  on  privacy  and  security  from  this  sort  of  preemption  would  be  large  and  negative.  To  see 
why,  it  is  important  to  realize  that  protections  for  the  most  sensitive  categories  of  medical 
information  are  set  forth  in  state  law,  and  not  in  HIPAA.  Here  are  some  categories  of  medical 
records  that  are  often  protected  at  the  state  level  today: 

•  HIV  and  other  sexually  transmitted  diseases 

•  Mental  health  (beyond  the  limited  scope  of  "psychotherapy  notes"  defined  in  HIPAA) 

•  Substance  abuse  and  alcohol 
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•  Reproductive  and  contraceptive  care  (where  states  vary  widely  in  policy) 

•  Records  held  by  public  health  and  other  state  agencies 

•  Genetic  records 

The  key  thing  to  realize  is  that  HIPAA  simply  does  not  have  provisions  for  these  topics.  If  there 
is  federal  preemption  on  the  HIPAA  baseline,  then  there  will  be  a  large  drop  in  privacy 
protection,  especially  for  the  most  sensitive  records. 

A  related  point  is  that  many  reporting  regimes  have  been  linked  closely  with  privacy  protections. 
To  take  one  important  example,  extra-strict  protections  for  HIV  records  have  been  a  package 
deal  with  HIV  reporting  requirements.  The  concern  is  that  individuals  will  decide  not  to  get 
tested  unless  they  are  promised  strong  confidentiality.  If  we  repeal  these  confidentiality 
protections,  such  as  through  federal  preemption,  then  we  will  face  the  public  health  risks  from 
the  spread  of  communicable  diseases. 

In  the  medium  term,  the  lack  of  preemption  is  likely  to  be  more  manageable  than  many  in 
industry  have  assumed.  Electronic  health  records  are  being  deployed  in  regional  health 
information  organizations,  and  many  of  those  RHlOs  cover  only  one  or  a  few  states.  A  New 
York  City  RHIO,  for  instance,  could  manage  the  vast  bulk  of  its  records  by  complying  with  the 
laws  of  New  York,  New  Jersey,  and  Connecticut.  As  we  build  out  from  these  regional  systems, 
each  RHIO  can  share  its  expertise  about  relevant  state  laws  with  other  RHlOs.  The  path  toward 
compliance  with  state  law  is  thus  far  simpler  than  it  would  be  if  we  tried  to  do  a  massive  and 
instantaneous  shift  to  a  50-state  system. 

As  a  final  point  on  preemption,  the  state  laws  that  are  often  seen  as  ''burdens"  by  industry  have 
another  name  from  the  consumer  perspective — consumer  ''protections."  In  light  of  the  strong 
privacy  and  security  concerns  about  the  NHIN,  there  should  be  no  rush  to  repeal  these  state 
privacy  and  security  protections. 

The  Current  "No  Enforcement^^  System  Is  Not  a  Credible  Basis  for  EHRs  and  the  NHIN 

I  have  serious  concerns  about  the  current  enforcement,  or  lack  of  enforcement,  of  HIPAA 
privacy  complaints.  This  lack  of  enforcement  creates  a  major  obstacle  to  public  acceptance  of 
EHRs  and  the  NHIN — if  no  enforcement  actions  are  brought  under  HIPAA,  why  should  the 
public  trust  that  there  will  be  effective  enforcement  as  far  more  medical  records  flow  around  the 
NHIN? 

Let  me  emphasize  that  my  criticism  here  goes  to  law  and  policy,  and  not  to  the  good  will  or 
competence  of  the  individuals  at  HHS  who  work  on  enforcement  at  the  Office  of  Civil  Rights. 
From  my  time  in  the  government  and  since,  I  have  been  uniformly  impressed  with  the  quality  of 
people  who  have  worked  on  privacy  and  security  issues. 

There  are  three  principal  problems: 

•  First,  the  batting  average  at  OCR  is  low,  to  say  the  least — zero  civil  penalties  for  over 
27,000  complaints.  Through  the  end  of  April  2007,  OCR  reported  a  total  of  27,070 
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HIPAA  privacy  complaints,  with  over  4,500  resolved  through  investigation  or 
enforcement.  Despite  this  heavy  volume,  not  a  single  case  has  yet  resulted  in  civil 
monetary  penalties. 

•  Second,  the  current  administration  has  adopted  the  policy  of  "one  free  violation."  In  the 
2006  enforcement  rule  adopted  by  HHS,  the  decision  was  made  that  a  covered  entity 
would  simply  not  be  subject  to  civil  penalty  for  its  first  violation."^  Instead,  the  first 
offense  always  results  in  a  plan  to  correct  actions  going  forward.  This  "'one  free 
violation"  policy  sends  the  signal  that  medical  privacy  rules  are  not  taken  seriously — a 
covered  entity  can  be  lax  in  its  protection  of  patient  records,  secure  in  the  knowledge  that 
it  can  fix  the  problems  if  and  when  a  complaint  is  filed. 

•  Third,  the  Department  of  Justice  has  dropped  the  ball  on  criminal  prosecution.  In  a  2005 
legal  opinion  that  I  have  criticized  previously,^  the  Office  of  Legal  Counsel  interpreted 
the  HIPAA  criminal  provision  extremely  narrowly.  Under  this  opinion,  even  the  purchase 
and  sale  of  hospital  records,  for  criminal  gain,  could  not  be  prosecuted  under  HIPAA. 
Although  some  of  those  problems  have  since  been  solved,"*  main  Justice  has  failed  to 
bring  a  single  indictment  on  any  of  the  393  cases  that  HHS  has  referred  for  prosecution. 
These  are  the  most  serious  cases  that  HHS  has  found,  but  none  of  them  has  yet  resulted  in 
criminal  indictment  or  civil  monetary  penalties.'  The  lack  of  Justice  Department  action 
on  these  referrals  is  important,  because  the  Office  of  Legal  Counsel  has  stated  that  no 
civil  monetary  penalties  may  be  imposed  for  actions  that  are  punishable  under  the 
HIPAA  criminal  statute.^ 

This  lack  of  enforcement  has  been  the  subject  of  major  stories  in  The  Wall  Street  Journal  and 
The  Washington  Post  J  but  HHS  and  Congress  have  not  responded  to  date.  As  The  Washington 
Post  quoted  one  medical  records  specialist,  'They  are  saying,  'HHS  really  isn't  doing  anything, 
so  why  should  I  worry?'" 


"^Under  Section  160.3 12,  the  regulation  states  that  "the  Secretary  will  [not  may]  attempt  to  reach  a  resolution  of  the 
matter  satisfactory'  to  the  Secretary  by  informal  means."  7 1  Fed.  Reg.  8390,  8425  (Feb.  16,  2006).  Under  the 
regulation,  civil  monetary  penalties  can  be  assessed  only  if  no  agreement  is  reached  by  informal  means.  I  do  not 
believe  that  this  position  is  required  by  statute.  Whether  or  not  it  is  currently  required  by  statute,  the  Congress  could 
decide  to  change  this  policy  by  new  legislation. 

^  Peter  Swire,  "Justice  Department  Opinion  Undermines  Medical  Privacy,"  Center  for  American  Progress  (2005), 
available  at  http://www.ame^icanprogress.org/issues/2005/'06^743281  .html, 

"  My  understanding  is  that  Department  of  Justice  prosecutors  in  Che  field  have  been  able  to  bring  some  HIPAA 
prosecutions  under  an  innovative  approach  described  by  Assistant  U.S.  Attorney  Peter  Winn,  "Who  is  Subject  to 
Criminal  Prosecution  Under  HIPAA?"  Available  at 

http://www.abanet.org/health/01_interest_groups/0l_media/WinnABA_2005-l  l.pdf. 

'  I  understand  that  five  criminal  cases  have  been  brought  to  date  by  U.S.  attorneys  acting  on  evidence  uncovered  in 
their  districts,  and  not  based  on  referrals  by  HHS. 

^  The  Office  of  Legal  Counsel  opinion,  at  note  13,  quotes  42  U.S.C.  §  1320d-5(b)(l)  for  this  conclusion,  and  reaches 
the  remarkable  conclusion  that  "the  Secretar>'  may  not  impose  civil  sanctions  for  the  commission  of  an  act  that  subjects  a 
person  to  the  possibility  of  criminal  prosecution,  regardless  of  whether  the  person  is  in  fact  punished  criminally."  This 
position  is  peculiar,  to  say  the  least.  It  seems  to  mean  that  a  covered  entity  would  be  better  off  doing  a  serious  violation 
that  is  criminal,  in  order  to  avoid  any  possibility  of  civil  sanctions. 

^  Theo  Francis,  "Medical  Dilemma:  Spread  of  Records  Stirs  Patient  Fears  Of  Privacy  ErosioR,'T/7e  fi^'all  Street 
Journal,  Dec.  26,  2006;  Rob  Stein,  "Medical  Privacy  Law  Nets  No  Fines,"  The  Washington  Post,  June  4,  2006. 
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I  have  been  at  conferences  where  covered  entities  themselves,  including  military  hospitals,  have 
asked  HHS  for  more  enforcement.  These  unusual  complaints — calls  for  more  enforcement  by 
those  subject  to  enforcement — have  been  based  on  their  experience  that  it  is  too  difficult  to  get 
resources  and  management  attention  for  data  privacy  and  security  now  that  the  zero-enforcement 
system  is  known.  These  complaints  are  echoed  by  a  report  from  the  American  Health 
Information  Management  Association,  which  found  in  2006  that  HIPAA  compliance  had 
actually  fallen  compared  with  previous  years,  due  especially  to  lack  of  resources  and 
management  attention.^ 

The  lack  of  HIPAA  enforcement  will  make  it  harder  to  build  the  next  generation  of  electronic 
health  records.  Critics  will  be  on  strong  ground  in  saying  they  can't  trust  the  integrity  of  the 
current  system,  much  less  have  the  level  of  trust  needed  for  the  greatly  expanded  flow  of 
electronic  records  in  the  NHIN. 

To  respond  to  these  problems,  targeted  legislation  could  address  the  following: 

•  First,  end  the  ''one  free  violation"  part  of  the  enforcement  regulation. 

•  Second,  end  the  current  interpretation  where  HHS  stops  its  ovm  enforcement  efforts  in 
the  most  serious  cases,  whenever  there  is  a  criminal  referral  to  DOJ. 

•  Third,  overrule  the  Office  of  Legal  Counsel  opinion  that  incorrectly  and  unjustifiably 
narrowed  the  criminal  provisions  of  HIPAA. 

These  targeted  measures  would  bring  credibility'  to  the  HIPAA  enforcement  system.  There  was 
good  reason  to  go  easy  on  covered  entities,  and  help  them  come  into  compliance,  when  HIPAA 
first  took  effect.  The  HIPAA  privacy  rule  was  first  announced  in  1999,  though,  and  it  has  been  in 
full  effect  for  over  four  years.  Going  forward,  serious  violations  should  lead  to  actual  penalties. 
Only  in  this  way  will  privacy  and  security  practices  improve.  And  only  in  this  way  will  we  have 
a  credible  case  for  the  large  expansion  of  electronic  records  that  will  come  with  the  NHIN. 

Some  Steps  May  Be  Appropriate  to  Adjust  the  Scope  of  Covered  Entities 

Staff  has  asked  me  for  comments  about  the  scope  of  who  is  considered  a  ''covered  entity"  under 
HIPAA.  HIPAA  primarily  applies  today  to  health  care  providers,  health  insurers,  and  health 
clearinghouses.  By  contrast,  HIPAA  does  not  apply  to  many  health  websites  or  to  services  where 
the  patients  pay  only  by  cash  and  credit  card  and  there  is  no  health  insurance.^ 

The  history  of  the  HIPAA  statute  explains  this  odd  state  of  affairs.  As  Congress  in  1996 
considered  the  large  health  legislation  that  ultimately  was  enacted  as  HIPAA,  one  important  goal 


*  American  Health  Information  Management  Association,  "The  State  of  HJPAA  Privacy  and  Security  Compliance," 
(2006),  available  at  Imp:  u  w  u  ..iliim;i.»iu  emeriiini:,  issuer  2()()6Si.ueun  llPAACompliimce.pi.ir. 
'  The  Pew  Foundation  and  Health  Privacy  Project  address  the  scope  of  covered  entities  in  their  report  "Exposed 
Online:  Why  the  new  federal  health  privacy  regulation  doesn't  offer  much  protection  to  Internet  users,"  (2001), 
available  at  Imp,  nvwv.pcuintcrnci.uru  pdl"-^  PtP  UPl'  HealthPriv  jcpoil.pJr 
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was  to  simplify  the  health  payments  system  and  shift  payments  to  electronic  form.  The 
"Administrative  Simplification"  part  of  HIPAA  thus  moved  forward,  and  it  applied  precisely  to 
those  entities  that  were  involved  in  the  electronic  payments  system — providers,  insurers,  and 
clearinghouses  (who  convert  records  into  standard  electronic  formats).  Late  in  the  legislative 
process,  Congress  realized  that  privacy  and  security  protections  should  be  included  as  part  of  the 
shift  to  electronic  health  payments.  The  scope  of  these  privacy  and  security  protections  thus 
matched  the  scope  of  entities  included  in  "Administrative  Simplification.'" 

Going  forward,  it  is  possible  that  additional  entities  should  be  covered  by  the  HIPAA  privacy 
and  security  rules.  I  recommend  caution  on  this  topic,  however.  To  take  one  example,  suppose 
that  a  person  buys  a  book  on  breast  cancer  from  an  online  book  store.  Should  the  entire  book 
store  be  covered  by  HIPAA  because  some  of  the  books  are  on  medical  topics? 

The  bookstore  example  reminds  us  that  the  most  important  regulatory  decision  is  who  will  be 
covered  by  a  rule.  If  Congress  broadly  increases  the  scope  of  "covered  entities,"  then  all  of 
HIPAA's  privacy  and  security  requirements  will  apply  to  a  potentially  large  number  of 
organizations.  .A.ny  expansion  of  that  sort  should  be  done  only  after  careful  study. 

There  is  one  area,  however,  where  this  committee  may  appropriately  consider  new  measures. 
Important  categories  of  government  agencies  are  exempt  from  HIPAA  but  permitted  by  it  to  gain 
access  to  patient  records.  Under  Section  512(b),  public  health  agencies  may  receive  records,  and 
HIPAA  does  not  apply  to  those  agencies  once  they  receive  them.  Of  perhaps  even  greater 
concern,  there  are  ways  that  law  enforcement,  homeland  security,  and  national  security  agencies 
may  be  gaining  access  to  large  numbers  of  medical  records.  For  instance,  HIPAA's  national 
security  or  public  health  exceptions  might  permit  these  agencies  to  receive  health  records  to  tight 
"bioterrorism."  We  know  that  the  Total  Information  Awareness  program  led  by  Admiral 
Poindexter  targeted  such  medical  records.  What  we  don't  know  is  what  sort  of  databases  and 
data  mining  exist  on  Americans'  health  records  in  the  name  of  national  or  homeland  security. 
Jim  Dempsey  of  the  Center  for  Democracy  and  Technology  is  currently  researching  this  topic. 
Attention  to  his  forthcoming  report  and  other  oversight  is  warranted  on  how  government 
agencies  are  using  sensitive  medical  records. 

Conclusion 

This  testimony  has  highlighted  reasons  to  be  cautious  about  preempting  state  privacy  laws.  It  has 
suggested  targeted  measures  to  make  HIPAA  enforcement  more  credible,  and  has  shown  areas 
where  oversight  is  appropriate  on  the  definition  of  covered  entity. 

There  are  other  important  privacy  and  security  issues  that  will  arise  in  development  of  the  NHIN. 
For  instance: 

•  Authentication:  how  can  we  identify  patients  in  the  NHIN  while  avoiding  creating  one 
enormous  database  that  becomes  a  risky  source  of  failure? 

•  Consent:  how  can  patients  have  an  appropriately  nuanced  right  to  consent  where  in  the 
NHIN  their  records  will  go,  and  for  which  records? 
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•    Audit:  as  the  NHIN  links  large  numbers  of  organizations,  how  will  audits  and  other 
controls  enable  the  organizations  to  trust  that  appropriate  safeguards  are  being 
implemented? 

Discussion  of  each  of  these  issues,  and  many  others,  is  contained  in  Connecting  for  Health's 
Common  Framework.  I  know  of  no  better  resource  for  understanding  how  to  build  privacy  and 
security  into  the  next  generation  of  America's  electronic  health  records. 

My  thanks  to  the  committee  for  inviting  me  to  participate  today. 
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Mr.  Clay.  Thank  you,  Mr.  Swire. 

Let  me  thank  the  entire  panel  for  their  testimony  today. 

We  will  begin  the  question  period  under  the  5-minute  rule,  and 
I  will  begin  with  a  general  question  for  everyone  to  comment  on. 
Many  electronic  health  care  tools  such  as  electronic  health  records 
and  internet-based  personal  health  records  are  available  to  con- 
sumers today.  The  country,  however,  is  still  lacking  an  established 
nationwide  approach  for  ensuring  that  personal  health  information 
will  be  protected  from  inappropriate  disclosure.  Do  you  believe  that 
the  implementation  of  health  IT  is  beginning  to  out-pace  the  devel- 
opment of  overall  privacy  policies  and  practices? 

We  will  start  with  Ms.  Grealy. 

Ms.  Grealy.  Well,  as  I  said,  both  from  my  experience  as  heading 
up  the  Healthcare  Leadership  Council  and  formerly  with  the  Amer- 
ican Hospital  Association,  as  well  as  my  personal  experience  deal- 
ing with  health  care  for  my  family,  providers  took  the  HIPAA  pri- 
vacy rule  very,  very  seriously.  They  put  in  place  compliance  plans, 
a  lot  of  education,  and  this  was  throughout  all  of  the  covered  enti- 
ties, the  various  business  associates.  I  am  not  sure  we  often  recog- 
nize just  how  much  went  into  making  sure  they  understood  the 
HIPAA  privacy  rules  and  they  were  in  compliance. 

The  rules  are  very  complex.  I  just  want  to  touch  on,  I  think,  the 
approach  that  HHS  and  the  Office  of  Civil  Rights  has  taken  is  real- 
ly the  proper  approach.  They  could  have  taken  a  "gotcha"  approach, 
and,  you  know,  every  time  we  find  you  have  made  just  the  slightest 
error  we  are  coming  after  you  with  civil  and  monetary  penalties  or 
criminal  penalties.  I  think,  instead,  what  they  did  was  to  develop 
a  partnership.  We  want  this  rule  to  work,  and  so  we  have 
partnered  with  providers  and  others  to  educate  them. 

Of  the  27,000  complaints  that  have  been  registered,  I  think  if 
you  delve  into  them,  if  you  talk  with  the  people  at  the  Office  of 
Civil  Rights  you  will  find  that  many,  many,  the  vast  majority,  were 
really  a  misunderstanding  of  what  was  required  by  the  privacy 
rule.  In  fact,  many  times  we  have  run  into  what  I  would  call  h3rper- 
compliance,  where  we  have  providers  unwilling  to  share  informa- 
tion with  those  who  could  benefit  from  it  because  they  throw  up 
HIPAA  doesn't  allow  me  to  do  that.  So  we  really  have  to  strike  that 
appropriate  balance. 

As  we  move  into  the  electronic  world,  security  measures  are  in 
place.  I  think  we  also  sometimes  lose  sight  that  these  electronic 
medical  records  can  be  much  more  secure  than  the  paper  records 
that  have  been  sitting  in  file  cabinets  and  physicians'  offices.  Often- 
times you  have  no  way  of  determining  who  has  accessed  those 
records,  unlike  in  the  electronic  world  where  you  can  establish  an 
audit  trail.  You  can  really  determine  who  has  accessed  that  and 
whether  it  is  appropriate.  You  can  password  protect  it. 

So  I  think  we  have  a  framework.  We  may  have  to  modify  it.  You 
can  tell  from  the  GAO  testimony  that  there  is  a  lot  of  work  going 
on  at  HHS,  at  AHIC,  the  National  Committee  on  Vital  Health  Sta- 
tistics, to  determine  what  is  appropriate  in  this  electronic  world. 
But  remember,  this  all  started  because  people  were  concerned 
about  the  electronic  transmission  of  personally  identifiable  health 
information.  That  is  what  started  the  HIPAA  statute  and  resulted 
in  the  HIPAA  privacy  rule.  So  I  don't  think  we  need  a  wholesale 
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revision  of  it.  We  may  need  some  tweaking  of  it.  But  I  think  right 
now  it  is  workable,  and  a  lot  of  providers  are  spending  a  lot  of  time 
and  resources  that  don't  go  to  direct  patient  care,  but  instead  go 
toward  compliance.  I  think  we  have  to  be  very,  very  careful  in 
terms  of  how  we  use  those  resources. 

Mr.  Clay.  Thank  you,  Ms.  Grealy. 

Mr.  Pickard. 

Mr.  PiCKAED.  Yes.  I  would  have  to  agree,  and  I  think  that  it  is 
not  a  question  of  the  technology  but  more  about  the  actual  policies. 
I  do  believe  that  HIPAA  has  provided  a  good  framework,  and  I 
think  where  we  run  into  challenges  or  where  we  will  run  into  chal- 
lenges are  the  other  entities,  the  other  types  of  entities  outside  of 
the  HIPAA  boundaries,  the  covered  entities  that  are  now  faced 
with  handling  health  information.  So  I  believe  that  is  probably 
where  we  run  into  challenges  associated  with  HIPAA.  That,  again, 
kind  of  brings  us  back  to  an  important  point  or  important  principle 
within  my  testimony,  and  that  is  that  the  confidentiality  and  pri- 
vacy protections  follow  the  information,  no  matter  where  it  goes  or 
where  it  resides  or  how  it  is  accessed  or  handled. 

Mr.  Clay.  How  about  you,  Mr.  Swire? 

Mr.  Swire.  Thank  you,  sir. 

A  fairly  simple  point.  HIPAA  came  about  when  we  made  a  shift 
for  payment  records  from  paper  to  electronic,  so  you  would  file  with 
Medicare,  insurance  companies  electronically,  and  Congress  said  in 
1996  let's  do  privacy  and  security  with  that. 

We  are  now  in  chapter  two,  and  chapter  two  is  the  shift  for  clini- 
cal records,  your  x-rays  and  all  the  rest  of  those  things,  and  we  are 
now  building  the  systems  for  the  first  time  to  really  move  clinical 
records,  so  we  should  build  those  systems  right  for  this  generation 
like  we  tried  to  build  systems  right  for  the  payments  generation, 
and  that  is  our  job  together. 

The  easiest  time  to  get  privacy  and  security  right  is  when  you 
build  it  the  first  time.  It  is  much  harder  to  patch  later.  That  is 
where  Congress  can  take  a  leadership  role  and  make  sure  we  do 
it. 

Mr.  Clay.  Thank  you  for  that  response. 
Mr.  Hodes. 

Mr.  HODES.  Thank  you,  Mr.  Chairman. 

Professor  Swire,  I  am  interested  in  and  appreciate  your  con- 
densed version  of  arguments  about  preemption  and  what  we  might 
lose  by  it,  because  really  I  think  that  goes  to  the  heart  of  policy 
issues  that  Congress  is  facing  in  dealing  with  the  questions  of  a  na- 
tional health  information  network  versus  leaving  it  to  what  is 
clearly  a  rapidly  evolving  patchwork  of  regulation.  You  point  out 
that  we  have  HIPAA  as,  call  it,  a  baseline,  but  that  many  States 
have — in  fact,  I  think  all  the  States  have  dealt  with  other  medical 
information  of  a  very  sensitive  kind  that  HIPAA  simply  doesn't 
deal  with.  So  I  take  to  heart  your  point  about  not  rushing  too 
quickly  to  simply  say  HIPAA  is  the  standard  and  that  is  the  na- 
tional standard  and  that  is  where  we  are  leaving  it. 

If  we  were  to  look  at  the  national  picture,  which  I  am  sure  you 
have  much  more  than  I  have,  how  would  you  balance,  in  looking 
what  the  various  States  have  done  in  terms  of  the  issues  you  have 
raised  on  pages  three  and  four  of  your  report — mental  health 
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records,  HIV,  and  all  that — if  Congress  was  inclined  to  try  to  set 
some  national  standard,  mindful  of  your  warnings?  How  would  you 
suggest  we  go  about  looking  at  what  the  States  have  done?  Should 
we  simply  say  we  are  going  to  take  the  best  standards  from  which- 
ever State  best  protects  privacy  and  security  of  people  and  that  is 
the  one  we  are  going  to  use  for  HIV,  and  similarly  we  are  going 
to  look  at  mental  health  records  and  take  the  best  one  that  we  can 
get  from  State  B,  and  then  we  are  going  to  incorporate  it  with  this 
other  baseline  and  call  it  a  Federal  standard?  WTiat  do  you  think? 

Mr.  Swire.  Well,  we  could  go  on  for  quite  some  time  

Mr.  HODES.  I  know. 

Mr.  Swire  [continuing].  To  try  to  figure  out  how  to  do  that, 
but  

Mr.  HODES.  I  have  only  got  5  minutes. 

Mr.  Swire.  I  know,  and  I  will  try  to  do  it  in  about  four  sentences. 
Not  really. 

The  first  point  is  best  does  not  mean  stricter  or  less  strict.  You 
can't  avoid  making  some  judgments  here,  so  when  it  comes  to  HIV 
data  you  have  a  public  health  issue  if  people  won't  get  tested,  and 
if  you  repeal  for  big  cities'  HIV  protections  you  could  face  public 
health  risks,  and  that  doesn't  seem  like  a  good  idea  to  me. 

But  I  think  one  step  here  is  I  think  that  HHS  and  the  Govern- 
ment can  play  a  much  better  role  in  helping  us  all  understand 
what  the  State  laws  are,  and  here  is  a  specific  thing.  There  is  this 
RTI  study — that  is  the  contractor  for  HHS — and  they  have  gone 
and  done  studies  of,  I  think,  34  States.  I  have  been  told  by  some- 
body who  has  been  near  the  process  that  they  are  not  planning  to 
release  the  surveys  from  the  States  to  the  public.  It  seems  to  me 
if  Government  is  going  to  spend  contractor  money  to  try  to  figure 
out  what  all  these  State  laws  mean,  they  reduce  compliance  costs 
for  everybody  if  we  get  that  information  out  to  everybody,  so  just 
a  much  better  job  of  education  and  getting  the  information  out 
there  so  that  people  don't  have  to  go  to  expensive  law  firms  to  try 
to  figure  it  out.  That  is  one  step  toward  knowing  what  needs  to  be 
done. 

Ms.  Grealy.  Congressman,  I  would  like  to  comment  

Mr.  HoDES.  Please.  Thank  you. 

Ms.  Grealy  [continuing].  Because  we  undertook  one  of  those 
very  expensive  studies,  $1  million  investment,  to  have  a  tool  where 
providers  could  check  to  see  what  is  the  State  law,  what  is  the  var- 
iation. That  still  requires  time.  It  is  a  lot  of  money  to  maintain  that 
system,  and  I  don't  think  it  addresses  your  question.  I  don't  think 
it  really  gives  us  a  workable  national  standard.  Just  because  we 
have  the  information  from  the  RTI  study,  we  still  have  all  this  var- 
iation. 

We  don't  have  to  sacrifice  privacy  to  develop  this  standard.  Again 
I  reference  Section  6  in  H.R.  4852,  which  really  set  out  a  process. 
Let's  look  at  the  States,  let's  study  the  variation,  and  then  come 
up  with  recommendations  as  to  what  would  be  the  appropriate  rule 
in  those  very  sensitive  areas.  We  have  done  it  for  mental  health 
to  a  certain  degree  in  the  HIPAA  privacy  rule,  but  we  certainly 
could  improve  it  in  those  other  areas. 

Mr.  HODES.  Thank  you. 

Mr.  Pickard,  did  you  want  to  comment? 
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Mr.  PiCKARD.  No. 

Mr.  HODES.  Thank  you. 

Mr.  Chairman,  I  3deld  back.  Thank  you  very  much. 

Mr.  Clay.  Thank  you  for  that  hne  of  questions. 

I  asked  this  question  to  GAO  during  the  first  panel  and  would 
like  to  hear  your  thoughts  on  the  topic.  A  significant  problem  with 
HIPAA  is  that  it  does  not  cover  all  entities  that  possess  or  utilize 
personal  health  information.  Some  life  insurers  and  research  enti- 
ties not  involved  with  the  treatment  of  patients  fall  outside  the 
rules.  In  your  work,  have  you  analyzed  this  problem?  And  how  sig- 
nificant is  it,  in  your  view? 

Let's  start  with  Mr.  Swire. 

Mr.  Swire.  OK.  So  this  has  to  do  with  who  should  be  covered  en- 
tities, and  the  statute  sets  that  forth.  HHS  doesn't  have  a  lot  of 
wiggle  room  on  that,  so  it  would  have  to  come  from  Congress. 

I  think  that  for  life  insurance  it  is  not  such  a  big  program. 
Graham-Leach-Bliley  applies  there.  But  in  my  testimony  I  point 
out  that  if  you  say  anything  that  touches  medical  data,  like  I  buy 
a  breast  cancer  book  for  somebody  on  Amazon,  we  don't  want  to 
suddenly  have  HIPAA  kick  in  just  because  they  mention  the  word 
health,  and  so  how  to  expand  it  is  something  that  you  have  to  be 
careful  about. 

One  area  of  concern  is  that  public  health  agencies  are  not  subject 
to  Federal  laws,  and  law  enforcement  when  it  grabs  health  data, 
and  there  may  be  some  work  to  be  done  on  the  Government's  side 
to  make  sure  that  effective  protections  are  in  place,  especially  if 
they  are  trying  to  gather  lots  of  bio-surveillance  kinds  of  things 
going  forward. 

Mr.  Clay.  Mr.  Pickard. 

Mr.  Pickard.  Yes.  If  I  could  just  say,  that  is  an  important  ques- 
tion. I  think  that  our  association,  AHIMA,  strongly  believes  in  har- 
monization of  all  of  the  privacy  protections  across  all  entities. 
When  you  look  at  the  personal  health  records,  when  HIPAA  was 
developed  personal  health  records  were  barely  being  talked  about. 
In  a  university  setting  with  student  records  there  is  a  lack  of  har- 
monization, as  I  mentioned  in  my  testimony,  between  the  FERPA, 
or  Family  Education  Rights  Privacy  Act,  and  HIPAA.  There  are  dif- 
ferences. And  so  I  think  it  is  an  important  question,  and  I  think 
that,  again,  I  agree  it  is  one  that  will  require  answers  and  consid- 
eration as  we  move  forward. 

Mr.  Clay.  Thank  you. 

Ms.  Grealy,  any  thoughts? 

Ms.  Grealy.  Well,  as  always,  it  is  a  balancing  question.  We  want 
to  make  sure  that  we  are  not  stifling  innovation,  as  we  have.  I 
mean,  I  think  we  are  finally  beginning  to  see  patients  becoming 
more  engaged  in  helping  to  manage  their  health  care,  and  getting 
them  engaged  with  personal  health  records  I  think  is  a  very  posi- 
tive thing.  We  want  to  make  sure  that  they  feel  very  secure  when 
they  are  sharing  that  information. 

Now,  is  the  best  way  to  go  about  that,  make  everyone  a  covered 
entity?  Is  it  better  to  make  them  business  associates?  I  think  we 
just  have  to  make  sure  that  the  rules  are  clear,  that  we  don't  have 
conflicting  standards  out  there.  So  if  you  start  expanding  business 
associates,  making  them  covered  entities,  they  may  be  in  one  sense 
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a  business  associate,  have  to  comply  with  a  covered  entity's  rules, 
but  then  in  another  setting  they  become  a  covered  entity,  and  they 
all  hold  a  different  set  of  standards. 

So,  again,  we  know  that  there  is  work  going  on  in  this  area.  I 
know  i&IC  is  looking  at  it.  We  are  going  to  be  testifying  before 
them  on  Friday.  But,  again,  just  carefully  looking  at  those  and 
making  sure  that  we  are  not  getting  into  over-regulation  and  sti- 
fling the  innovation  that  is  really  taking  place  out  there. 

I  think  one  of  the  most  important  things  I  heard  from  the  GAO 
panel,  and  something  that  we  really  have  to  focus  on,  is  educating 
the  public,  communicating  to  them  why  do  we  want  this  informa- 
tion, but,  more  importantly,  why  is  it  good  for  you  as  a  patient  for 
us  to  have  this  information.  Why  do  we  want  it?  How  are  we  going 
to  share  it?  And  how  are  we  going  to  protect  that  information  and 
keep  it  secure?  So  they  know  under  HIPAA  and  various  State  stat- 
utes we  can't  disclose  it  to  their  employer,  we  can't  disclose  it  to 
the  newspaper,  we  can't  disclose  it  to  their  neighbors.  But  we  have 
to  assure  people  that  it  is  important  for  their  health  and  for  the 
health  of  future  generations  for  us  to  have  a  workable  privacy  rule 
that  allows  for  the  necessary  flow  of  health  information. 

Mr.  Clay.  Along  those  same  lines,  there  is  significant  debate  con- 
cerning the  most  effective  way  to  obtain  patient  authorization  for 
the  disclosure  or  sharing  of  personal  health  information.  For  a  na- 
tional health  information  network  to  be  successful,  doesn't  it  re- 
quire a  stronger  uniform  privacy  standard  that  requires  affirmative 
consent  from  a  patient  for  all  information  disclosure?  And  yes,  we 
can  start  with  you.  I  would  like  to  hear  comments  from  the  entire 
panel. 

Ms.  Grealy.  I  have  the  great  benefit  of  every  once  in  a  while  get- 
ting out  there  and  talking  to  the  real  people  that  are  actually  doing 
this.  I  was  just  in  Delaware,  where  they  are  doing  a  demonstration 
project  with  a  health  information  network.  We  talked  about  this. 
Let's  call  it  opt-in  versus  opt-out. 

I  am  going  around  and  asking  this  question:  how  would  your 
data  exchange  system  work  if  it  had  to  be  an  opt-in?  If  you  are  the 
Mayo  that  has  a  century  worth  of  data,  longitudinal  studies,  how 
would  it  work  if  you  had  to  have  an  opt-in  as  opposed  to  you  have 
the  information,  you  give  people  the  opportunity  to  opt-out  of  it? 
But  if  you  had  to  go  to  each  individual  patient,  to  each  individual 
subject  that  you  want  included,  and  get  their  affirmative  decision 
to  be  included  and  to  share  their  electronic  medical  record,  I  think 
it  would  halt  the  system. 

If  we  have  to  make  a  decision  between  the  two,  certainly  opt-out 
is  going  to  be  better. 

Mr.  Clay.  Mr.  Pickard,  any  comments? 

Mr.  Pickard.  Yes.  Again,  I  think  this  is  probably  an  area  where 
AHIC  is,  in  terms  of  their  Privacy  and  Security  Committee  is  look- 
ing into  these  types  of  issues. 

I  can  tell  you  in  the  State  of  Tennessee,  with  our  health  informa- 
tion exchange  we  have  run  up  against  this  very  question  or  this 
very  issue,  and  we  have  put  in  protocols  to  enable  patients  to  opt 
in  or  opt  out,  and  then  certainly  you  have  the  whole  concept  of  pa- 
tient identification.  But,  again,  I  think  it  is  an  important  issue. 

Mr.  Clay.  Mr.  Swire. 
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Mr.  Swire.  Thank  you.  So  the  one  way  this  comes  up  is  if  some- 
body sees  a  psychiatrist  or  gets  substance  abuse  or  something  else 
and  they  say,  look,  I  don't  want  this  going  out  to  everybody  every- 
where. So  one  idea  of  consent  or  authorization  is  some  way  for  the 
patient  to  say,  hold  on,  not  this. 

I  think  it  makes  sense  to  a  lot  of  people  that  some  sort  of  permis- 
sion for  patients  or  some  sort  of  control  over  that  might  make 
sense. 

Now,  we  can  talk  opt-in/opt-out.  Some  of  the  systems  don't  want 
to  have  an  opt  at  all.  They  just  want  to  say  we  are  going  to  sign 
everybody  up.  I  think  that  is  a  concern.  So  if  you  don't  want  to  be 
in  at  all,  if  you  don't  want  to  just  sort  of  have  my  doctor  puts  ev- 
erything in  and  I  have  no  control  over  that,  I  don't  think  that  is 
the  right  place  to  be.  The  question  is  what  point,  for  how  many 
choices,  will  a  patient  have  any  say. 

I  worked  on  Markle's  Connecting  for  Health  Task  Force,  and 
they  have  a  write-up  on  this  that  I  think  goes  through  it  in  a  sen- 
sible way,  and  I  think  you  end  up  with  an  opt  out  where  that  is 
realistic  where  patients  say,  look,  it  generally  goes  in,  but  if  I  say 
it  doesn't  we  should  try  to  build  it  so  it  doesn't  go  in. 

Mr.  Clay.  Just  to  pause  after  hearing  the  three  different  re- 
sponses, what  is  the  damage?  What  is  the  harm  if  someone  other 
than  a  health  care  provider  gets  a  copy  of  an  x-ray  or  they  get  a 
record  of  a  prescription?  What  do  you  think  the  harm  is? 

Ms.  Grealy.  I  think  the  concern  is  that  the  health  care  provider 
might  not  get  the  x-ray.  I  mean,  I  am  not  even  talking  about  disclo- 
sures to  those  that  really  shouldn't  have  the  information.  We  are 
talking  about  patients  saying,  no,  provider,  the  physician  treating 
me  cannot  have  this  information.  So  we  have  to  be  very,  very  cau- 
tious, again,  in  that  balance  of  making  sure,  and  there  may  be  a 
system  of,  you  know,  flagging  it  so  the  physician  knows  I  don't 
have  all  the  information,  I  had  better  check  with  this  patient. 

I  am  not  sure  how  that  translates  when  we  are  trying  to  build 
data  bases  to  improve  the  quality  of  health  care,  to  improve  treat- 
ment for  disease,  if  we  have  a  lot  of  critical  missing  information. 

Mr.  Clay.  Well,  like  the  example  you  use  in  your  testimony,  the 
pharmacist  should  have  relayed  to  both  physicians  for  your  father 
what  medicines? 

Ms.  Grealy.  If  this  were  something  that  he  was  getting  at  a 
pharmacy,  you  are  right.  CVS,  one  of  our  members,  they  have  gone 
electronic,  so  they  can  do  those  alerts.  But  these  were  services, 
these  were  hormone  shots,  one  being  giv^n  in  the  oncologist's  office 
and  the  other  being  part  of  the  dialysis  center  treatment.  There  is 
no  pharmacist  in  the  picture,  no  electronic  medical  record  to  ex- 
change that  information,  and  so  no  way  to  alert. 

Mr.  Clay.  Mr.  Pickard,  any  thoughts? 

Mr.  Pickard.  Again,  I  think — and  I  said  this  in  my  testimony — 
I  think  we  need  to  move  away  from  thinking  about  the  type  of  in- 
formation and  the  entity  and  make  sure  that  the  privacy  protec- 
tions do  follow  the  health  information  wherever  it  resides. 

Let  me  just  share.  If  I  am  an  employee,  I  want  the  capability  to 
opt  out  and  to  perhaps  not  have  my  employer  have  certain  types 
of  information.  This  is  particularly  important  in  today's  environ- 
ment where  a  lot  of  employers  or  insurances,  for  that  matter,  are 
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developing  personal  health  record  tools  for  employees  or  subscrib- 
ers. I  think  as  an  employee  or  an  insurance  subscriber,  I  should 
have  that  right  to  opt  out  of  that. 

Mr.  Swire.  Just  one  point  to  add  on  is  that  some  of  the  most  sen- 
sitive kinds  of  data  that  I  have  been  talking  about,  the  mental 
health  and  substance  abuse,  genetic,  or  whatever,  are  only  pro- 
tected by  State  law,  so  even  if  x-rays  aren't,  these  other  things  are 
only  protected  by  State  law,  and  if  we  were  to  harmonize  at  the 
national  baseline  then  those  psychiatric  notes,  the  substance  abuse 
things,  and  the  rest  could  be  going  through  the  system,  and  that 
is  a  reason  not  to  preempt  too  strictly  or  not  to  preempt  at  a  low 
level. 

Mr.  Clay.  Let  me  ask  this.  This  is  a  question  for  the  entire 
panel.  There  have  been  long-term  concerns  on  how  health  informa- 
tion is  treated  differently  under  institutions  that  are  also  covered 
under  different  privacy  regulations,  such  as  Family  Educational 
Rights  and  Privacy  Act  of  1974.  Under  the  privacy  rule,  records 
protected  by  FERPA  are  not  covered  by  the  privacy  rule;  therefore, 
even  if  the  information  contained  in  an  education  record  is  health 
related,  the  privacy  rule  does  not  apply. 

Is  this  an  area  where  conflicts  ought  to  be  addressed  in  order  to 
harmonize  the  way  in  which  patient  information  is  protected? 

Ms.  Grealy,  we  will  ask  you  first. 

Ms.  Grealy.  Well,  I  think  one  of  the  things  that  those  that  actu- 
ally have  to  do  compliance  are  always  looking  for  is;  give  me  uni- 
formity. Make  it  simple.  Don't  have  one  set  of  standards  here,  an- 
other set  of  standards  there.  So  I  think  any  way  we  can  harmonize 
these  requirements  is  a  positive  thing. 

Mr.  Clay.  Mr.  Pickard. 

Mr.  Pickard.  I  agree.  And  let  me  just  share,  working  in  a  uni- 
versity, you  know,  we  interact  and  deal  with  both  HIPAA  regula- 
tions as  well  as  FERPA  regulations,  and  if  I  am  a  student  and  let's 
say  if  I  have  a  medical  condition  that  requires  me  to  live  off  cam- 
pus, I  have  to  submit  what  actually  becomes  part  of  my  academic 
record  health  information,  and  there  is  a  lack  of  standardization  in 
terms  of  how  that  information  may  or  may  not  be  handled.  So  I 
agree.  I  think  there  needs  to  be  a  harmonization  across  all  of  these 
different  laws. 

Mr.  Clay.  Thank  you. 

Mr.  Swire. 

Mr.  Swire.  I  am  going  to  disagree  on  the  FERPA  one.  I  will  just 
explain  why.  That  was  an  issue  that  I  worked  on  extensively  dur- 
ing the  rule  and  the  comments  from  the  schools,  associations,  and 
the  rest.  The  logic  at  the  time — and  maybe  it  is  different  today — 
was  with  school  nurses  in  high  schools  all  over  the  country,  rural 
grade  schools,  all  the  rest,  if  we  harmonized  to  HIPAA,  which  is 
what  AHIMA  recommends  and  is  worth  considering,  if  we  har- 
monize to  HIPAA  then  the  school  nurse  in  that  grade  school  out 
in  a  rural  area  would  have  to  do  full  HIPAA  compliance.  And  it 
wasn't  clear  that  was  the  big  risk,  and  it  was  clear  that  there 
would  be  a  whole  compliance  thing  to  do  if  that  happened. 

So  the  idea  there  was  we  thought  that  there  was  a  pretty  reason- 
able FERPA  regime  in  place,  that  the  school  nurses  shouldn't  sud- 
denly have  to  do  more,  and  that  was  a  sensible  way  to  go. 
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Now,  it  does  mean  that  universities  like  Vanderbilt  get  a  double 
whammy,  because  they  get  students  and  then  they  get  some  other 
folks  who  are  HIPAA,  and  suddenly  they  get  both.  In  some  ways 
maybe  Vanderbilt  people  are  so  smart  they  can  handle  it,  but 
maybe  not  every  school  nurse  has  to  do  HIPAA. 

So  I  am  not  really  sure  how  you  harmonize,  because  if  you  har- 
monize that  everybody  is  HIPAA,  then  it  is  the  school  nurses  of 
America  that  will  be  here  next  time. 

Mr.  Clay.  Speaking  of  universities,  Mr.  Swire,  I  will  ask  you  and 
then  go  down  the  line.  Mr.  Mark  Rothstein  of  the  University  of 
Louisville  has  written  extensively  on  the  use  of  compelled  author- 
izations for  personal  health  information  by  employers  for  job  appli- 
cants, life  insurers  for  those  applying  for  coverage,  and  other  non- 
covered  entities.  If  the  current  privacy  rule  does  not  regulate  PHI 
once  it  is  released  to  a  third-party  entity  not  covered  under  the 
rule,  shouldn't  we  re-examine  who  will  be  covered  when  receiving 
electronic  health  information? 

Mr.  Swire.  That  is  a  great  question,  and  it  wouldn't  be  easy  to 
legislate,  but  here  are  a  couple  of  points  that  come  up. 

So  right  now  you  can't  have  compelled  authorizations  for  health 
care  providers.  If  you  show  up  at  the  ER  and  you  are  rolling  in  on 
the  gurney,  they  can't  say,  sign  here  or  we  won't  treat  you,  and  you 
sign  away  ever3^hing.  That  is  in  HIPAA. 

The  thing  was,  when  HIPAA  rules  were  written,  HHS  could  do 
that — that  is  covered  entities — but  HHS  had  no  jurisdiction  over 
the  employers  of  America.  That  just  wasn't  in  the  statute,  so  there 
was  no  choice  in  writing  the  rule  about  what  to  do  for  employers. 
That  is  a  choice  that  only  Congress  can  decide  to  step  into. 

If  you  want  to  say,  as  Congress,  we  are  going  to  treat  the  em- 
ployers the  way  we  treat  the  hospitals,  you  can't  require  these  au- 
thorizations as  a  condition  of  being  employed  here,  that  is  a  deci- 
sion Congress  can  make.  You  are  going  to  hear  it  from  the  employ- 
ers. And  sometimes  employers  will  say  we  need  this  to  figure  out 
if  they  can  lift  the  heavy  loads  or  we  need  it  for  some  other  job- 
related  thing.  But  that  is  what  you  would  have  to  work  through, 
and  it  would  have  to  be  statute.  It  can't  be  by  reg. 

Mr.  Clay.  Thank  you. 

Any  comments  on  that,  Mr.  Pickard? 

Mr.  Pickard.  Yes.  We  are  seeing  many,  many  different  types  of 
entities  outside  of  the  HIPAA-covered  entities  and  business  associ- 
ates that  are  handling  health  information.  Again,  this  goes  back  to 
our  principles  I  shared  earlier,  and  that  is  that  we  really  look  to 
confidentiality  protections  following  the  health  information,  no 
matter  where  it  resides,  and  there  needs  to  be  a  national  floor  for 
handling  health  information. 

Mr.  Clay.  OK.  Ms.  Grealy. 

Ms.  Grealy.  I  talked  with  a  few  of,  I  think,  entities  that  people 
are  referring  to.  Revolution  Health  Care  is  one  that  is  really  get- 
ting into  working  with  consumers,  developing  a  personal  health 
record  that  they  can  access  through  the  internet.  They  have  a  con- 
tractual relationship  with  the  consumers  that  they  are  dealing 
with,  and  they  say  that  they  are  HIPAA  compliant,  even  though 
they  are  not  a  covered  entity;  that  they  feel  it  is  a  good  business 
practice.  They  want  the  trust  of  the  consumers  that  they  are  deal- 
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ing  with,  and  it  is  in  their  best  interest  to  make  sure  that  they 
have  a  high  level  of  security  and  protecting  that  information. 

So  I  think  all  of  us  have  mentioned  we  know  that  AHIC,  HHS, 
and  others  are  really  exploring  these  issues,  and  I  think  that  is 
really  the  appropriate  place;  that  we  need  to  look  at  it  carefully; 
make  sure,  as  I  said  earlier,  that  we  are  not  stifling  innovation  by 
expanding  the  reach  of  a  heavy  regulatory  sche'me;  and  make  sure 
that  it  is  balanced  well,  because  I  don't  think  we  want  to  snuff  out 
the  innovation  that  is  going  on  out  there,  but  we  do  want  to  make 
sure  that  this  information  is  protected. 

Mr.  Clay.  All  right.  Thank  you. 

Let  me  thank  the  entire  panel  for  their  testimony  and  their  an- 
swers. We  have  certainly  covered  some  ground  today.  This  is  a  very 
complex  issue.  As  the  Congress  takes  this  issue  on  of  health  infor- 
mation technology  and  how  we  actually  protect  the  privacy  of  citi- 
zens throughout  this  country,  patients,  we  will  certainly  rely  on 
your  expertise,  and  this  hearing  has  been  helpful  in  shedding  light 
on  this.  Let  me  again  thank  you  all  for  your  testimony  today. 

That  concludes  this  hearing. 

[Whereupon,  at  3:30  p.m.,  the  subcommittee  was  adjourned.] 
[Additional  information  submitted  for  the  hearing  record  follows:] 
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Honorable  Chairman  Clay,  thank  you  for  the  opportunity  to  submit  testimony  on  behalf  of  the 
Department  of  Health  and  Human  Services  (HHS)  about  protecting  patient  privacy  in  healthcare 
information  systems. 

Introduction 

On  April  27,  2004,  the  President  signed  Executive  Order  13335  announcing  his  commitment  to 
the  promotion  of  health  information  technology  (health  IT)  to  improve  efficiency,  reduce 
medical  errors,  improve  quality  of  care,  and  provide  better  information  for  patients  and 
physicians.  At  that  time,  the  President  also  called  for  widespread  adoption  of  electronic  health 
records  (EHRs)  by  2014  so  that  health  information  will  follow  patients  throughout  their  care  in  a 
seamless  and  secure  manner.  Reaching  this  ambitious  goal  requires  cooperation  among  Federal 
agencies  and  Departments  that  play  a  role  in  advancing  our  understanding  and  use  of  health  IT, 
coordination  across  all  Federal  health  IT  programs;  and  coordination  with  the  private  sector. 
Toward  those  ends,  the  President  directed  the  Secretary  of  HHS  to  establish  within  his  office  the 
position  of  the  National  Coordinator  for  Health  Information  Technology  to  advance  this  vision. 

Moreover,  on  August  22,  2006,  the  President  issued  Executive  Order  13410  to  ensure  that  health 
care  programs  admmistered  or  sponsored  by  the  Federal  Government  promote  quality  and 
efficient  delivery  of  health  care  through  the  use  of  interoperable  health  IT,  transparency 
regarding  health  care  quality  and  price,  and  better  incentives  for  program  beneficiaries,  enrollees, 
and  providers.  The  Executive  Order  further  advances  movement  towards  a  modem  health 
information  system  by  directing,  to  the  extent  permitted  by  law,  that  "[a]s  each  agency 
implements,  acquires,  or  upgrades  health  information  technology  systems  used  for  the  direct 
exchange  of  health  information  between  agencies  and  with  non-Federal  entities,  it  shall  utilize, 
where  available,  health  information  technology  systems  and  products  that  meet  recognized 
interoperability  standards." 

Safeguarding  personal  health  information  is  essential  to  our  national  strategy  for  health  IT.  A 
strategy  devoid  of  measures  to  ensure  privacy  and  security  would  neither  advance  our  interests 
nor  those  of  the  American  people.  HHS's  strategy  recognizes  the  importance  of  collaboration 
with  both  the  public  and  private  sectors,  including  representation  from  consumers  of  health  care 
services.  Many  of  our  activities  rely  on  public  input,  recommendations  from  Federal  advisory 
committees,  and  deliverables  from  contracts  with  a  wide  variety  of  health  care  and  IT  sector 
collaborators,  among  other  sources.  Nationwide  health  IT  adoption  can  only  be  accomplished 
through  the  coordinated  effort  of  many  stakeholders,  within  both  state  and  Federal  governments 
and  the  private  sector.  HHS  has  taken  great  care  to  engage  representatives  of  all  these  sectors  in 
our  many  health  IT  initiatives  -  an  effort  that  involves  many  processes  and  the  work  of 
thousands  of  participants. 

Health  Information  Privacy  and  Security 

The  movement  towards  interoperable  electronic  health  records  will  create  both  new  challenges 
and  new  opportunities  with  respect  to  protecting  the  privacy  and  security  of  health  information. 
When  protecting  Federal  information,  including  personally  identifiable  information  and  health 
information,  the  Government  already  has  a  robust  framework  in  place  and  numerous  policies 
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related  to  the  privacy  and  security  of  information,  including  but  not  limited  to:  requirements  set 
forth  in  the  Federal  Information  Security  Management  Act  (FISMA),  the  Privacy  Act,  Office  of 
Management  and  Budget  policies,  and  guidance  and  standards  put  forth  by  the  National  Institute 
of  Standards  and  Technology  (NIST).  For  example,  under  FISMA,  government  information 
(including  health  information  and  personally  identifiable  information)  is  required  to  be 
categorized  and  protected  based  on  the  level  of  risk  associated  with  that  information.  Guidance 
documents  and  standards  exist  for  agencies  to  follow  -  requiring  minimum  technical,  operational, 
and  management  controls. 

HHS  has  promulgated  several  rules  that  establish  critical  foundations  of  Federal  confidentiality, 
privacy,  and  security  protections  for  health  information  across  the  health  care  system,  including 
the  Health  Insurance  Portability  and  Accountability  Act  of  1996  (HIPAA)  Privacy  Rule,  the 
HIPAA  Security  Rule,  and  the  Confidentiality  of  Alcohol  and  Drug  Abuse  Patient  Records 
Regulation.  Taken  together,  these  Rules  establish  the  foundational  principles  of,  and  form  the 
context  for,  the  comprehensive  privacy  and  security  approach  HHS  continues  to  take  as  part  of 
our  national  health  IT  agenda.  Furthermore,  HHS  believes  the  current  HIPAA  statute  provides 
an  appropriate  amount  of  flexibility  to  protect  health  information  exchanged  by  HIPAA  covered 
entities  in  the  health  IT  environment  while  allowing  best  practices  to  emerge.  However,  there 
are  differences  between  Federal  laws,  State  laws  and  business  practices,  which  can  provide 
additional  challenges  for  the  sharing  of  health  information  in  a  private  and  secure  manner,  an 
issue  that  is  currently  being  examined. 

The  number,  type,  and  sophistication  of  tools  that  protect  electronic  information  are  growing  at 
an  ever-increasing  rate  and  provide  the  opportunity  to  offer  health  privacy  protections  beyond 
those  in  the  paper  environment.  For  example,  implementation  of  role-based  access  controls  and 
auditing,  when  implemented  electronically,  can  limit  access  to  a  patient's  record  to  only  those 
individuals  who  need  the  information  for  treatment.  Audit  trails  can  automatically  record  who 
viewed  the  health  record  and  can  be  used  after  the  fact  to  identify  any  unauthorized  access, 
leading  to  improvements  in  training  or,  if  warranted,  corrective  action. 

HHS  is  very  committed  to  privacy  and  security  as  it  works  toward  the  President's  goal  of 
widespread  interoperable  electronic  health  records.  Ultimately,  the  effective  coordination  of 
health  IT  activities  will  help  create  an  environment  in  which  the  health  status  of  the  American 
public  is  improved  while  information  remains  private  and  secure. 

Ensuring  Privacy  and  Security  Protections  through  Health  IT 

Protecting  health  information  in  an  interoperable  electronic  environment  requires  a  coordinated 
effort  by  all  stakeholders.  At  HHS,  we've  leveraged  existing  foundations;  created  new  public- 
private  collaborations;  and  partnered  with  other  federal  departments,  states,  health  care 
organizations,  and  consumers  to  continue  this  critical  dialogue.  Privacy  and  security  policies 
must  be  coordinated  and  developed  openly  -  with  abundant  public  input  -  m  order  to  ensure  a 
high  degree  of  trust.  Many  privacy  and  security  frameworks  are  in  existence,  and  we  need  to 
leverage  the  work  that  has  been  done  as  we  apply  these  principles  in  the  area  of  health  IT. 
Further,  this  is  both  iterative  and  informed.  Technological  solutions  are  being  advanced  to 
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support  the  confidentially  of  patient  data  and  to  accommodate  current  and  future  policy 
decisions. 

To  that  end,  HHS  has  initiated  several  projects  focusing  on  the  development  and  harmonization 
of  privacy  and  security  standards.  HHS  directed  the  establishment  of  the  Healthcare  Information 
Technology  Standards  Panel  (HITSP),  which  has  focused  on  the  harmonization  of  standards, 
including  those  related  to  privacy  and  security.  ONC  continues  to  work  closely  with  the 
Certification  Commission  for  Healthcare  Information  Technology  (CCHIT)  to  develop 
certification  criteria  for  electronic  health  records  and  networks.  The  Department  has  also  been 
actively  advancing  the  Nationwide  Health  Information  Network  (NHIN)  Initiative,  which  will 
ensure  consumers  have  an  active  role  in  determining  the  uses  of  their  health  information  wWle 
supporting  local  and  state  policies. 

We  are  working  to  achieve  a  balance  between  our  technical  capabilities  to  exchange  health 
information  and  the  privacy  and  security  policies  that  protect  it.  Appropriate  privacy  and 
securit>'  policies  must  account  for  available  technologies  and  anticipate  technological 
improvements,  without  being  outpaced  by  innovations  developed  for  the  NHIN  and  interoperable 
health  IT.  At  the  June  12,  2007,  American  Health  Information  Community  meeting,  I  described 
the  process  HHS  is  undertaking  to  develop  a  privacy  and  security  framework  that  will  meet  the 
expectations  of  health  care  consumers  and  foster  the  adoption  of  practices  that  promote  trust  in 
this  new  environment.  One  of  our  first  steps  will  be  to  engage  public  and  private  entities, 
including  the  general  public,  to  refme  and  build  consensus  around  a  set  of  privacy  and  security 
principles  to  protect  individuals'  health  information  in  an  interoperable  electronic  environment 
applicable  to  both  the  public  and  private  sectors. 

HHS  has  invested  significant  resources  and  efforts  in  our  nationwide  strategy  for  protecting 
health  information.  Our  national  health  IT  agenda  approaches  privacy  and  security  through  a  fiill 
suite  of  activities  that  both  inform  current  work  and  prepare  for  future  needs. 

Privacy  and  Security  Solutions  for  Interoperable  Health  Information  Exchange 
The  Privacy  and  Security  Solutions  contract  awarded  to  RTI  International  (RTI),  co-managed  by 
the  Office  of  the  National  Coordinator  for  Health  Information  Technology  (ONC)  and  the 
Agency  for  Healthcare  Research  and  Quality  (AHRQ),  has  fostered  an  environment  for  states 
and  territories  to:  (1)  assess  variations  in  organization-level  business  pohcies  and  state  laws  that 
affect  health  information  exchange;  (2)  identify  and  propose  practical  solutions,  while  preserving 
the  privacy  and  security  requirements  in  applicable  Federal  and  state  laws;  and  (3)  develop 
detailed  plans  to  implement  solutions  to  identified  privacy  and  securit>'  challenges.  States  and 
territories  -  through  the  participation  of  many  volunteer  stakeholders  including  physicians, 
pharmacists,  consumers,  health  IT  vendors,  laboratories,  attorneys,  insurers,  etc.  -  have  focused 
their  work  on  an  analysis  of  eighteen  health  information  exchange  scenarios  which  expose 
challenges  their  state  or  territor>'  may  face  in  an  electronic  environment.  The  scenarios,  which 
touch  on  issues  such  as  treatment,  payment,  research,  and  bioterrorism,  provided  states  and 
territories  a  framework  within  which  to  map  their  variations  in  business  practices  and  policies  to 
the  nine  supplied  "domains"  of  privacy  and  security; 
•        user  and  entity  authentication; 

authorization  and  access  control; 
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•  patient  and  provider  identification; 

•  transmission  security; 

•  information  protection; 

•  information  audits; 
administrative  and  physical  safeguards; 

•  state  law;  and 

•  use  and  disclosure  policy. 

The  34  states  and  territories  that  are  part  of  the  Health  Information  Security  and  Privacy 
Collaboration  (HISPC)  under  the  Privacy  and  Security  Solutions  contract  participated  in  ten 
regional  meeiings  in  the  fall  of  2006  and  one  nationwide  meeting  in  March  2007,  where  they 
exchanged  experiences  with  regional  counteiparts  and  discussed  the  appearance  of  common 
themes  such  as  differing  applications  and  interpretations  of  HIPAA  regulations,  state  consent 
laws,  and  state  variations  in  protections  provided  to  sensitive  information,  such  as  HTV/AIDS 
information  and  mental  health  records.  This  summer,  RTI  will  publish  three  reports  that  describe 
the  variations  in  organization-level  business  policies  and  state  laws  which  pose  challenges  to 
private  and  secure  electronic  health  information  exchange;  state  plans  to  implement  solutions  to 
address  those  challenges;  and  recommendations  for  the  federal  government  to  consider.  Starting 
in  July,  the  states  and  territories  that  are  part  of  the  HISPC  will  begin  operationalizing  their 
implementation  plans  as  well  as  preparing  collaboration  strategies  with  all  states  and  territories 
for  regional  and  multi -state  solution  development. 

State  Alliance  for  E-Health 

ONC  contracted  with  the  National  Governors  Association  Center  for  Best  Practices  to  create  the 
State  Alliance  for  e-Heaith  (State  Alliance).  The  State  Alliance  is  an  initiative  designed  to 
improve  the  nation's  health  care  system  through  the  formation  of  a  collaborative  body  that  brings 
together  key  state  decision  makers.  This  body,  led  by  Governors  and  other  high-level  executives 
of  states  and  U.S.  territories,  is  charged  with:  (1)  identifying,  assessing  and,  through  the 
formation  of  consensus  solutions,  mapping  ways  to  resolve  state-level  health  IT  policy  issues 
that  affect  multiple  states  and  pose  challenges  to  interoperable  electronic  health  information 
exchange;  (2)  providing  a  forum  in  which  states  may  collaborate  so  as  to  increase  the  efficiency 
and  effectiveness  of  the  health  IT  initiatives  that  they  develop;  and  (3)  focusing  on  privacy  and 
security  policy  issues  surrounding  the  use  and  disclosure  of  electronic  health  information.  The 
Health  Information  Protection  taskforce,  one  of  three  taskforces  under  the  State  Alliance,  is 
responsible  for  examining  privacy  and  security  issues.  With  coordinated  input  from  HISPC 
participants  and  testimony  from  experts  in  health  privacy  and  security,  this  taskforce  will 
recommend  to  the  State  Alliance  policies  for  states  and  territories  to  adopt  (and  vehicles  to 
facilitate  adoption)  that  will  encourage,  where  appropriate  and  without  diminishing  protections, 
uniformity  in  their  health  IT  privacy  and  security  practices. 

Development  of  Best  Practices  for  State  HIE  Initiatives 

ONC  has  awarded  a  contract  to  the  Foundation  of  Research  and  Education  (FORE)  of  the 
American  Health  Information  Management  Association  (AHIMA)  to  gather  information  from 
existing  state-level  Health  Information  Exchanges  and  define,  through  a  consensus-based 
process,  best  practices,  including  privacy  and  security  practices,  that  can  be  disseminated  across 
a  broad  spectrum  of  health  care  and  governmental  organizations.  FORE  derived  the  information 
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from  health  information  exchange  policies  and  other  sources  on  governance,  legal,  financial  and 
operational  characteristics,  and  health  information  exchange  policies.  From  their  findings,  they 
developed  guiding  principles  and  practical  guidance  for  state-level  health  information  exchanges. 
AHIMA  also  developed  a  workbook  and  final  report  to  disseminate  guiding  principles,  and 
recommendations  on  how  to  encourage  conformance  with  best  practices  and  coordination  across 
state  and  federal  initiatives. 

American  Health  Information  Community:  Confidentiality,  Privacy,  and  Security  (CPS) 
Workgroup 

In  September  2005,  the  Secretary  established  the  American  Health  Information  Community 
(AHIC),  a  federally-chartered  advisory  committee  made  up  of  key  leaders  fi"om  the  public  and 
private  sectors,  charged  with  making  recommendations  to  HHS  on  key  health  IT  strategies.  On 
the  basis  of  a  recommendation  issued  jointly  by  three  of  its  workgroups  (Chronic  Care, 
Electronic  Health  Records,  Consumer  Empowerment),  the  AHIC  created  a  workgroup  in  the 
summer  of  2006  specifically  focused  on  nationwide  privacy  and  security  issues  raised  by  health 
IT  activities  and  the  findings  of  the  other  AHIC  workgroups.  Privacy  and  security  are  one  of  the 
most  consistent  threads  between  each  of  the  workgroups  and  their  breakthrough  projects.  The 
members  for  this  Confidentiality,  Privacy,  and  Security  workgroup  were  carefully  selected  to 
assure  that  there  was  sufficient  privacy  and  security  expertise,  sufficient  consumer  input,  and 
representation  of  relevant  health  care  stakeholders  that  may  be  affected  by  any  recommendations 
developed.  The  workgroup's  first  set  of  recommendations  to  the  AHIC  on  patient  identity 
proofing  were  advanced  and  accepted  after  deliberation  by  the  AHIC  on  January  23,  2007,  for 
recommendation  to  HHS.  In  the  next  phase  of  the  NHIN  Initiative,  selected  contractors  vwll  be 
required  to  meet  privacy  and  security  functional  requirements  and  specifications  derived  fi-om 
NCVHS  and  relevant  AHIC  recommendations  (including  the  CPS  recommendation  above)  as 
well  as  other  health  IT  initiatives.  Additionally,  on  June  12,  2007,  the  AHIC  accepted  a 
recommendation  fi"om  the  workgroup  that  expressed  how  and  to  whom  privacy  and  security 
protections  should  apply  in  an  electronic  health  information  exchange  environment.  Its  letter  to 
the  AHIC  (available  at  http://www.hhs.gov/healthit/community/meetings/m20070612.html) 
describes  in  greater  detail  the  work  undertaken  thus  far  and  the  workgroup's  next  steps. 

In  addition,  the  ONC  is  cxirrently  working  to  ensure  that  the  AHIC  CPS  workgroup  works 
collaboratively  with  the  National  Committee  for  Vital  and  Health  Statistics,  to  address  the 
challenges  posed  by  secondary  uses  of  health  information  in  an  electronic  environment  including 
those  related  to  non-HIPAA  covered  entities. 

The  Certification  Commission  for  Healthcare  Information  Technology  (CCHIT) 
In  September  2005,  ONC  directed  CCHIT  to  advance  the  adoption  of  interoperability  standards 
and  reduce  barriers  to  the  adoption  of  interoperable  health  information  technologies  through  the 
creation  of  an  efficient,  credible  and  sustainable  product  certification  program.  The  CCHIT 
membership  includes  a  broad  array  of  private  sector  representatives,  including  physicians  and 
other  health  care  providers,  payers  and  purchasers,  health  IT  vendors,  and  consumers.  An 
important  part  of  CCHIT' s  work  is  to  set  criteria  for,  and  certify  the  security  of,  health 
information  systems.  The  certification  process  CCHIT  has  developed  promotes  well-established, 
tested,  security  capabilities  in  health  IT  systems  and  helps  make  certification  a  major  contributor 
to  protecting  the  privacy  and  confidentially  of  the  data  these  systems  manage. 
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CCHIT  has  set  criteria  for  the  certification  of  ambulatory  EHR  systems,  including  twenty-nine 
security  criteria  that  EHRs  had  to  meet  to  achieve  certification  in  2006.  As  of  May  2007, 
CCHIT  has  certified  over  80  ambulatory  EHRs  that  meet  these  security  criteria  and  several 
additional  criterion  for  functionality  and  interoperability.  As  new  privacy  and  security  standards 
are  harmonized,  they  will  be  incorporated  into  future  versions  of  the  certification  criteria. 

Healthcare  Information  Technology  Standards  Panel  (HITSP) 

Pursuant  to  a  contract  with  ONC,  the  American  National  Standards  Institute  (ANSI)  convened 
the  HITSP  in  September  2005,  to  identify  standards  for  use  in  enhancing  the  exchange  of 
interoperable  health  data.- 

A  part  of  the  HITSP  mission  is  to  harmonize  the  standards  necessary  to  allow  for  the  protection 
of  the  privacy  and  security  of  health  data.  The  panel  guides  the  collaboration  of  its  member 
organizations  through  a  standards  harmonization  process  that  leverages  the  work  and 
membership  of  multiple  standards  development  organizations  along  with  the  expertise  from  the 
public  and  private  sector.  The  panel  engages  in  a  consensus-based  process  to  identify  the  most 
appropriate  standards,  to  identify  overlaps  and  gaps  in  standards  where  they  are  inadequate  or 
unavailable  and  specifies  the  use  of  those  standards  to  advance  interoperability. 

On  October  31, 2006,  HITSP  presented  and  the  AHIC  accepted  and  subsequently  recommended 
to  the  Secretary,  three  "Interoperability  Specifications"  that  include  30  consensus  standards  and 
over  800  pages  of  implementation  guidance  for  recommendation  to  HHS.  Recently,  HITSP 
formalized  the  workgroup  it  created  to  focus  on  privacy  and  security  by  establishing  a  technical 
committee  to  identify,  evaluate,  and  select  standards  for  privacy  and  security  to  support  the 
current  suite  of  Interoperability  Specifications  and  2007  use  cases. 

Nationwide  Health  Information  Network  (NHIN) 

In  November  2005,  ONC  awarded  contracts  to  four  consortia  to  develop  prototypes  capable  of 
demonstrating  potential  solutions  for  nationwide  health  information  exchange.  This  initiative  is 
foundational  to  the  President's  vision  for  the  widespread  adoption  of  secure,  interoperable  health 
records  within  10  years.  The  NHIN's  vision  is  to  become  a  "network  of  networks"  where  state 
and  regional  health  information  exchanges  and  other  networks  that  provide  health  information 
services  work  together,  through  common  architecture  (services,  standards  and  requirements), 
processes,  and  polices  to  securely  exchange  information.  In  particular  the  NHIN  will:  provide 
consumers  with  capabilities  to  help  manage  the  flow  of  their  information;  allow  health 
information  to  follow  the  consumer;  provide  critical  information  to  clinicians  at  the  point  of  care; 
and  improve  healthcare,  population  health,  and  prevention  of  illness  and  disease. 

The  first  year  of  the  NHIN  initiative  produced  four  prototype  architectures  and  a  number  of 
architectural  products  that  v^U  be  used  in  the  second  year  of  this  initiative.  A  critical  portion  of 
the  required  NHIN  prototype  deliverables  was  the  development  of  security  models  that  directly 
address  systems  architecture  needs  for  securing  and  maintaining  the  confidentiality  of  health 
data.  The  NHIN  prototypes  included  tlie  development  of  architecture  that  would  provide 
consumers  with  the  ability  to  manage  disclosures  of  their  electronic  health  information. 
Furthermore,  each  participant  was  required  to  comply  with  security  requirements  established  by 
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HHS  and  Federal  laws,  where  applicable,  to  ensure  proper  and  confidential  handling  of  data  and 
information.  Each  delivered  important  architecture  capabilities  that  will  be  used  in  the  next  steps 
of  the  NHIN  to  address  the  complex  issues  of  authentication,  authorization,  data  access 
restrictions,  auditing  and  logging,  consumer  controls  of  information  access  and  other  critical 
contributions. 

This  second  year  of  the  NHIN  initiative  will  involve  the  demonstration  of  trial  implementations 
in  real-world  healthcare  environments  while  maximizing  the  use  of  existing  infrastructure.  The 
trial  implementations  will  be  functional  across  healthcare  markets  in  the  service  area  selected  as 
well  as  with  other  participants  in  the  NHIN  cooperative  and  specialty  networks  involved  in  use 
case  activities.  Moreover,  trial  implementation  sites  will  be  required  to  demonstrate  "core" 
services,  including  a  suite  of  consumer  services.  These  services  will,  in  a  demonstrable  way, 
empower  consumers  with  knowledge  and  choice.  For  certain  interactions  within  a  trial 
implementation,  consumers  will  be  given  an  increased  role  in  determining  the  confidentiality, 
privacy,  and  security  of  their  health  information. 

Conclusion 

Health  IT  privacy  and  security  policies  and  their  associated  technological  solutions  cannot  be 
developed  in  a  vacuum.  A  key  component  for  assuring  that  appropriate  privacy  and  security 
protections  are  in  place  is  to  assure  that  these  efforts  develop  in  tandem  and  that  coordination  is 
consistent  throughout  these  efforts.  This  is  the  role  of  ONC.  We  have  a  conscientious, 
experienced,  and  passionate  staff  that  works  together  closely  on  these  activities  and  other  privacy 
and  security  related  activities  throughout  HHS  and  the  other  Departments  and  Agencies  to  ensure 
that  health  IT  policy  decisions  and  technology  solutions  are  appropriately  coordinated  and 
addressed. 

Protecting  health  information  is  of  the  utmost  importance  and  essential  to  the  success  of 
interoperable  electronic  health  information  exchange.  Proper  policies  that  instill  confidence  and 
trust  must  evolve  with  technology  advancements  and  vice  versa.  Not  letting  one  get  too  far 
ahead  of  the  other  is  a  concern  we  share  and  are  working  hard  to  continue  to  manage.  As  a 
leader  in  this  area  HHS  has  invested  in  multiple  coordinated  initiatives  to  ensure  health 
information  will  be  protected  as  we  enter  this  new  era  of  health  and  care. 

Mr.  Chairman,  thank  you  for  the  opportunity  to  submit  testimony  today. 
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